domain MyMap[U, V] { function Map_keys(m: MyMap[U, V]): Set[U] function Map_card(m: MyMap[U, V]): Int function Map_lookup(m: MyMap[U, V], u: U): V function Map_values(m: MyMap[U, V]): Set[V] function Map_empty(): MyMap[U, V] function Map_build(m: MyMap[U, V], u: U, v: V): MyMap[U, V] function Map_equal(m1: MyMap[U, V], m2: MyMap[U, V]): Bool function Map_disjoint(m1: MyMap[U, V], m2: MyMap[U, V]): Bool function Map_union(m1: MyMap[U, V], m2: MyMap[U, V]): MyMap[U, V] axiom Map_card_non_neg { (forall m: MyMap[U, V] :: { Map_card(m) } 0 <= Map_card(m)) } axiom Map_card_domain { (forall m: MyMap[U, V] :: { |Map_keys(m)| } |Map_keys(m)| == Map_card(m)) } axiom Map_values_def { (forall m: MyMap[U, V], v: V :: { (v in Map_values(m)) } (v in Map_values(m)) == (exists u: U :: (u in Map_keys(m)) && v == Map_lookup(m, u))) } axiom Map_empty_1 { (forall u: U :: { (u in Map_keys(Map_empty())) } !((u in Map_keys(Map_empty())))) } axiom Map_empty_2 { (forall m: MyMap[U, V] :: { Map_card(m) } (Map_card(m) == 0) == (m == Map_empty()) && (Map_card(m) != 0 ==> (exists u: U :: (u in Map_keys(m))))) } axiom Map_build_1 { (forall m: MyMap[U, V], u1: U, u2: U, v: V :: { (u2 in Map_keys(Map_build(m, u1, v))) } (u2 == u1 ==> (u2 in Map_keys(Map_build(m, u1, v))) && Map_lookup(Map_build(m, u1, v), u1) == v) && (u2 != u1 ==> (u2 in Map_keys(Map_build(m, u1, v))) == (u2 in Map_keys(m)) && Map_lookup(Map_build(m, u1, v), u2) == Map_lookup(m, u2))) } axiom Map_build_2 { (forall m: MyMap[U, V], u: U, v: V :: { Map_card(Map_build(m, u, v)) } (u in Map_keys(m)) ==> Map_card(Map_build(m, u, v)) == Map_card(m)) } axiom Map_build_3 { (forall m: MyMap[U, V], u: U, v: V :: { Map_card(Map_build(m, u, v)) } !((u in Map_keys(m))) ==> Map_card(Map_build(m, u, v)) == Map_card(m) + 1) } axiom Map_equality { (forall m1: MyMap[U, V], m2: MyMap[U, V] :: { Map_equal(m1, m2) } Map_equal(m1, m2) == (forall u: U :: { (u in Map_keys(m1)) } { (u in Map_keys(m2)) } (u in Map_keys(m1)) == (u in Map_keys(m2)))) } axiom Map_extensionality { (forall m1: MyMap[U, V], m2: MyMap[U, V] :: { Map_equal(m1, m2) } Map_equal(m1, m2) ==> m1 == m2) } axiom Map_disjoint_def { (forall m1: MyMap[U, V], m2: MyMap[U, V] :: { Map_disjoint(m1, m2) } Map_disjoint(m1, m2) == (forall u: U :: { (u in Map_keys(m1)) } { (u in Map_keys(m2)) } !((u in Map_keys(m1))) || !((u in Map_keys(m2))))) } axiom Map_union_1 { (forall m1: MyMap[U, V], m2: MyMap[U, V], u: U :: { (u in Map_keys(Map_union(m1, m2))) } { (u in (Map_keys(m1) union Map_keys(m2))) } Map_disjoint(m1, m2) ==> (u in Map_keys(Map_union(m1, m2))) == (u in (Map_keys(m1) union Map_keys(m2)))) } axiom Map_union_2 { (forall m1: MyMap[U, V], m2: MyMap[U, V], u: U :: { Map_lookup(Map_union(m1, m2), u) } Map_disjoint(m1, m2) && (u in Map_keys(m1)) ==> Map_lookup(Map_union(m1, m2), u) == Map_lookup(m1, u)) } axiom Map_union_3 { (forall m1: MyMap[U, V], m2: MyMap[U, V], u: U :: { Map_lookup(Map_union(m1, m2), u) } Map_disjoint(m1, m2) && (u in Map_keys(m2)) ==> Map_lookup(Map_union(m1, m2), u) == Map_lookup(m2, u)) } } domain trigger_functions { function Counter_state_T(c: Ref, lvl: Int, x: Ref): Bool function SeqCounter_state_T(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Bool function ParCounter_state_T(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Bool } domain interferenceReference_Domain { function Counter_interferenceReference_df($p0: Int, c: Ref, lvl: Int, x: Ref): Bool function SeqCounter_interferenceReference_df($p0: Int, k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Bool function ParCounter_interferenceReference_df($p0: Int, k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Bool } domain interferenceSet_Domain { function Counter_interferenceSet_df($p0: Int, c: Ref, lvl: Int, x: Ref): Set[Int] function SeqCounter_interferenceSet_df($p0: Int, k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Set[Int] function ParCounter_interferenceSet_df($p0: Int, k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Set[Int] } domain atomicity_context_Domain { function Counter_atomicity_context_df(c: Ref, lvl: Int, x: Ref): Bool function SeqCounter_atomicity_context_df(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Bool function ParCounter_atomicity_context_df(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Bool } field $diamond: Int field $stepFrom_int: Int field $stepTo_int: Int field $memcell_$f: Int function IntSet(): Set[Int] ensures (forall n: Int :: (n in result)) function NatSet(): Set[Int] ensures (forall n: Int :: 0 <= n == (n in result)) function Counter_atomicity_context_hf(c: Ref, lvl: Int, x: Ref): Set[Int] requires acc(Counter_atomicity_context_fp(c, lvl, x), write) ensures [Counter_atomicity_context_df(c, lvl, x), true] function Counter_interferenceSet_hf($p0: Int, c: Ref, lvl: Int, x: Ref): Set[Int] requires acc(Counter_interferenceContext_fp(c, lvl, x), write) ensures [(forall $_m: Int :: { ($_m in result) } ($_m in result) ==> ($_m in Counter_interferenceSet_df($p0, c, lvl, x))), true] function Counter_interferenceReference_hf($p0: Int, c: Ref, lvl: Int, x: Ref): Int requires acc(Counter_interferenceContext_fp(c, lvl, x), write) ensures [Counter_interferenceReference_df($p0, c, lvl, x), true] function Counter_sk_$_action_n(c: Ref, lvl: Int, x: Ref): Int requires acc(Counter_sk_fp(), write) function Counter_sk_$_action_m(c: Ref, lvl: Int, x: Ref): Int requires acc(Counter_sk_fp(), write) function Counter_state(c: Ref, lvl: Int, x: Ref): Int requires acc(Counter(c, lvl, x), write) ensures [Counter_state_T(c, lvl, x), true] { (unfolding acc(Counter(c, lvl, x), write) in x.$memcell_$f) } function SeqCounter_atomicity_context_hf(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Set[Int] requires acc(SeqCounter_atomicity_context_fp(k, alvl, c, lvl, x), write) ensures [SeqCounter_atomicity_context_df(k, alvl, c, lvl, x), true] function SeqCounter_interferenceSet_hf($p0: Int, k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Set[Int] requires acc(SeqCounter_interferenceContext_fp(k, alvl, c, lvl, x), write) ensures [(forall $_m: Int :: { ($_m in result) } ($_m in result) ==> ($_m in SeqCounter_interferenceSet_df($p0, k, alvl, c, lvl, x))), true] function SeqCounter_interferenceReference_hf($p0: Int, k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Int requires acc(SeqCounter_interferenceContext_fp(k, alvl, c, lvl, x), write) ensures [SeqCounter_interferenceReference_df($p0, k, alvl, c, lvl, x), true] function SeqCounter_sk_$_action_n(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Int requires acc(SeqCounter_sk_fp(), write) function SeqCounter_sk_$_action_m(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Int requires acc(SeqCounter_sk_fp(), write) function SeqCounter_state(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Int requires acc(SeqCounter(k, alvl, c, lvl, x), write) ensures [SeqCounter_state_T(k, alvl, c, lvl, x), true] { (unfolding acc(SeqCounter(k, alvl, c, lvl, x), write) in Counter_state(c, lvl, x)) } function ParCounter_atomicity_context_hf(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Set[Int] requires acc(ParCounter_atomicity_context_fp(k, alvl, c, lvl, x), write) ensures [ParCounter_atomicity_context_df(k, alvl, c, lvl, x), true] function ParCounter_interferenceSet_hf($p0: Int, k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Set[Int] requires acc(ParCounter_interferenceContext_fp(k, alvl, c, lvl, x), write) ensures [(forall $_m: Int :: { ($_m in result) } ($_m in result) ==> ($_m in ParCounter_interferenceSet_df($p0, k, alvl, c, lvl, x))), true] function ParCounter_interferenceReference_hf($p0: Int, k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Int requires acc(ParCounter_interferenceContext_fp(k, alvl, c, lvl, x), write) ensures [ParCounter_interferenceReference_df($p0, k, alvl, c, lvl, x), true] function ParCounter_sk_$_action_n(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Int requires acc(ParCounter_sk_fp(), write) function ParCounter_sk_$_action_m(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Int requires acc(ParCounter_sk_fp(), write) function ParCounter_state(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref): Int requires acc(ParCounter(k, alvl, c, lvl, x), write) ensures [ParCounter_state_T(k, alvl, c, lvl, x), true] { (unfolding acc(ParCounter(k, alvl, c, lvl, x), write) in Counter_state(c, lvl, x)) } predicate Counter_G($r: Ref) predicate Counter_atomicity_context_fp(c: Ref, lvl: Int, x: Ref) predicate Counter_interferenceContext_fp(c: Ref, lvl: Int, x: Ref) predicate Counter_sk_fp() predicate Counter(c: Ref, lvl: Int, x: Ref) { acc(x.$memcell_$f, write) && true } predicate SeqCounter_S($r: Ref) predicate SeqCounter_atomicity_context_fp(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref) predicate SeqCounter_interferenceContext_fp(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref) predicate SeqCounter_sk_fp() predicate SeqCounter(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref) { acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) && lvl < alvl } predicate ParCounter_P($r: Ref) predicate ParCounter_atomicity_context_fp(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref) predicate ParCounter_interferenceContext_fp(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref) predicate ParCounter_sk_fp() predicate ParCounter(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref) { acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) && lvl < alvl } method havoc_Bool() returns ($r: Bool) method havoc_Int() returns ($r: Int) method havoc_Ref() returns ($r: Ref) method ___silicon_hack407_havoc_all_Counter() method ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() method ___silicon_hack407_havoc_all_SeqCounter() method ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() method ___silicon_hack407_havoc_all_ParCounter() method ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() method read01(c: Ref, lvl: Int, x: Ref) returns (ret: Int) requires acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && acc(Counter_G(c), write) requires (Counter_state(c, lvl, x) in IntSet()) ensures acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == old(Counter_state(c, lvl, x))) && acc(Counter_G(c), write) ensures ret == old(Counter_state(c, lvl, x)) { var $_levelVar_0: Int var $_levelVar_1: Int var $_levelVar_2: Int inhale $_levelVar_0 >= 0 && $_levelVar_0 > lvl assert $_levelVar_0 >= 0 inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale Counter_interferenceSet_hf(0, c, lvl, x) == IntSet() inhale Counter_interferenceReference_hf(0, c, lvl, x) == old(Counter_state(c, lvl, x)) // ------- open-region BEGIN ------- label pre_open_region0 assert $_levelVar_0 > lvl $_levelVar_1 := lvl unfold acc(Counter(c, lvl, x), write) // no interference context translation needed // ------- heap-read BEGIN --------- ret := x.$memcell_$f // ------- heap-read END ----------- fold acc(Counter(c, lvl, x), write) assert Counter_state(c, lvl, x) == old[pre_open_region0](Counter_state(c, lvl, x)) $_levelVar_2 := $_levelVar_0 // ------- open-region END --------- } method read02(c: Ref, lvl: Int, x: Ref) returns (ret: Int) requires acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && acc(Counter_G(c), write) requires (Counter_state(c, lvl, x) in Set(Counter_state(c, lvl, x))) ensures acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == old(Counter_state(c, lvl, x))) && acc(Counter_G(c), write) ensures ret == old(Counter_state(c, lvl, x)) { var $_levelVar_3: Int var $_levelVar_4: Int var $_levelVar_5: Int inhale $_levelVar_3 >= 0 && $_levelVar_3 > lvl assert $_levelVar_3 >= 0 inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale Counter_interferenceSet_hf(0, c, lvl, x) == Set(Counter_state(c, lvl, x)) inhale Counter_interferenceReference_hf(0, c, lvl, x) == old(Counter_state(c, lvl, x)) // ------- open-region BEGIN ------- label pre_open_region assert $_levelVar_3 > lvl $_levelVar_4 := lvl unfold acc(Counter(c, lvl, x), write) // no interference context translation needed // ------- heap-read BEGIN --------- ret := x.$memcell_$f // ------- heap-read END ----------- fold acc(Counter(c, lvl, x), write) assert Counter_state(c, lvl, x) == old[pre_open_region](Counter_state(c, lvl, x)) $_levelVar_5 := $_levelVar_3 // ------- open-region END --------- } method read01_client01(c: Ref, lvl: Int, x: Ref) returns (ret: Int) requires acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) ensures acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) ensures ret == old(Counter_state(c, lvl, x)) { var $_levelVar_6: Int inhale $_levelVar_6 >= 0 && $_levelVar_6 > lvl assert $_levelVar_6 >= 0 inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer0 // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(1, $c, $lvl, $x)) } none < old[pre_infer0](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(1, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer0](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer0](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer0](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(1, $c, $lvl, $x) == old[pre_infer0](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(1, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer0](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(1, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer0](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer0](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer0](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(1, $k, $alvl, $c, $lvl, $x) == old[pre_infer0](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(1, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer0](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(1, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer0](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer0](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer0](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(1, $k, $alvl, $c, $lvl, $x) == old[pre_infer0](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // ------- call:read01 BEGIN ------- assert (forall $_m: Int :: { ($_m in Counter_interferenceSet_hf(1, c, lvl, x)) } ($_m in Counter_interferenceSet_hf(1, c, lvl, x)) ==> ($_m in IntSet())) label pre_call0 assert $_levelVar_6 >= 0 && $_levelVar_6 > lvl assert true exhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && acc(Counter_G(c), write) && (Counter_state(c, lvl, x) in IntSet()) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read01@50.3) BEGIN label pre_stabilize0 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize0](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize0](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize0](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize0](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize0](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize0](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize0](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize0](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize0](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read01@50.3) END ret := havoc_Int() inhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == old[pre_call0](Counter_state(c, lvl, x))) && acc(Counter_G(c), write) && ret == old[pre_call0](Counter_state(c, lvl, x)) // ------- call:read01 END --------- // ------- Stabilising regions Counter,SeqCounter,ParCounter (after call:read01@50.3) BEGIN label pre_stabilize // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(2, $c, $lvl, $x)) } none < old[pre_stabilize](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(2, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(2, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(2, $c, $lvl, $x) == old[pre_stabilize](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(2, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(2, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(2, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(2, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(2, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(2, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(2, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(2, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after call:read01@50.3) END } method read01_client02(c: Ref, lvl: Int, x: Ref) returns (ret: Int) requires acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) ensures acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) ensures ret == old(Counter_state(c, lvl, x)) { var $_levelVar_7: Int inhale $_levelVar_7 >= 0 && $_levelVar_7 > lvl assert $_levelVar_7 >= 0 inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(3, $c, $lvl, $x)) } none < old[pre_infer](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(3, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(3, $c, $lvl, $x) == old[pre_infer](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(3, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(3, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(3, $k, $alvl, $c, $lvl, $x) == old[pre_infer](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(3, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(3, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(3, $k, $alvl, $c, $lvl, $x) == old[pre_infer](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // skip; // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@59.3) BEGIN label pre_stabilize2 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(4, $c, $lvl, $x)) } none < old[pre_stabilize2](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(4, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize2](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize2](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize2](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(4, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize2](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(4, $c, $lvl, $x) == old[pre_stabilize2](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(4, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize2](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(4, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize2](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize2](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize2](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(4, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize2](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(4, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize2](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(4, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize2](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(4, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize2](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize2](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize2](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(4, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize2](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(4, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize2](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@59.3) END // ------- call:read01 BEGIN ------- assert (forall $_m: Int :: { ($_m in Counter_interferenceSet_hf(4, c, lvl, x)) } ($_m in Counter_interferenceSet_hf(4, c, lvl, x)) ==> ($_m in IntSet())) label pre_call assert $_levelVar_7 >= 0 && $_levelVar_7 > lvl assert true exhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && acc(Counter_G(c), write) && (Counter_state(c, lvl, x) in IntSet()) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read01@60.3) BEGIN label pre_stabilize3 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize3](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize3](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize3](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize3](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize3](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize3](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize3](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize3](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize3](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read01@60.3) END ret := havoc_Int() inhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == old[pre_call](Counter_state(c, lvl, x))) && acc(Counter_G(c), write) && ret == old[pre_call](Counter_state(c, lvl, x)) // ------- call:read01 END --------- // ------- Stabilising regions Counter,SeqCounter,ParCounter (after call:read01@60.3) BEGIN label pre_stabilize4 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(5, $c, $lvl, $x)) } none < old[pre_stabilize4](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(5, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize4](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize4](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize4](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(5, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize4](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(5, $c, $lvl, $x) == old[pre_stabilize4](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(5, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize4](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(5, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize4](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize4](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize4](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(5, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize4](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(5, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize4](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(5, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize4](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(5, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize4](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize4](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize4](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(5, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize4](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(5, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize4](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after call:read01@60.3) END } method read01_client03(c: Ref, lvl: Int, x: Ref) returns (ret: Int) requires acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) ensures ret == old(Counter_state(c, lvl, x)) ensures acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == old(Counter_state(c, lvl, x))) && acc(Counter_G(c), write) { var v: Int var $_levelVar_8: Int inhale $_levelVar_8 >= 0 && $_levelVar_8 > lvl assert $_levelVar_8 >= 0 inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer2 // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(6, $c, $lvl, $x)) } none < old[pre_infer2](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(6, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer2](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer2](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer2](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(6, $c, $lvl, $x) == old[pre_infer2](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(6, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer2](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(6, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer2](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer2](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer2](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(6, $k, $alvl, $c, $lvl, $x) == old[pre_infer2](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(6, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer2](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(6, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer2](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer2](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer2](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(6, $k, $alvl, $c, $lvl, $x) == old[pre_infer2](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // ------- call:read01 BEGIN ------- assert (forall $_m: Int :: { ($_m in Counter_interferenceSet_hf(6, c, lvl, x)) } ($_m in Counter_interferenceSet_hf(6, c, lvl, x)) ==> ($_m in IntSet())) label pre_call2 assert $_levelVar_8 >= 0 && $_levelVar_8 > lvl assert true exhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && acc(Counter_G(c), write) && (Counter_state(c, lvl, x) in IntSet()) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read01@70.3) BEGIN label pre_stabilize5 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize5](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize5](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize5](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize5](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize5](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize5](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize5](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize5](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize5](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read01@70.3) END v := havoc_Int() inhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == old[pre_call2](Counter_state(c, lvl, x))) && acc(Counter_G(c), write) && v == old[pre_call2](Counter_state(c, lvl, x)) // ------- call:read01 END --------- // ------- Stabilising regions Counter,SeqCounter,ParCounter (after call:read01@70.3) BEGIN label pre_stabilize6 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(7, $c, $lvl, $x)) } none < old[pre_stabilize6](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(7, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize6](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize6](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize6](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(7, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize6](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(7, $c, $lvl, $x) == old[pre_stabilize6](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(7, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize6](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(7, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize6](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize6](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize6](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(7, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize6](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(7, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize6](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(7, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize6](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(7, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize6](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize6](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize6](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(7, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize6](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(7, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize6](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after call:read01@70.3) END // ------- assign BEGIN ------------ ret := v // ------- assign END -------------- // ------- Stabilising regions Counter,SeqCounter,ParCounter (after assign@71.3) BEGIN label pre_stabilize7 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(8, $c, $lvl, $x)) } none < old[pre_stabilize7](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(8, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize7](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize7](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize7](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(8, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize7](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(8, $c, $lvl, $x) == old[pre_stabilize7](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(8, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize7](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(8, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize7](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize7](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize7](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(8, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize7](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(8, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize7](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(8, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize7](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(8, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize7](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize7](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize7](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(8, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize7](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(8, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize7](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after assign@71.3) END } method read02_client01(c: Ref, lvl: Int, x: Ref) returns (ret: Int) requires acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) { var $_levelVar_9: Int inhale $_levelVar_9 >= 0 && $_levelVar_9 > lvl assert $_levelVar_9 >= 0 inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer3 // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(9, $c, $lvl, $x)) } none < old[pre_infer3](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(9, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer3](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer3](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer3](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(9, $c, $lvl, $x) == old[pre_infer3](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(9, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer3](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(9, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer3](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer3](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer3](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(9, $k, $alvl, $c, $lvl, $x) == old[pre_infer3](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(9, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer3](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(9, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer3](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer3](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer3](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(9, $k, $alvl, $c, $lvl, $x) == old[pre_infer3](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // ------- call:read02 BEGIN ------- assert (forall $_m: Int :: { ($_m in Counter_interferenceSet_hf(9, c, lvl, x)) } ($_m in Counter_interferenceSet_hf(9, c, lvl, x)) ==> ($_m in Set(Counter_interferenceReference_hf(9, c, lvl, x)))) label pre_call3 assert $_levelVar_9 >= 0 && $_levelVar_9 > lvl assert true exhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && acc(Counter_G(c), write) && (Counter_state(c, lvl, x) in Set(Counter_state(c, lvl, x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read02@80.3) BEGIN label pre_stabilize8 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize8](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize8](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize8](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize8](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize8](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize8](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize8](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize8](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize8](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read02@80.3) END ret := havoc_Int() inhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == old[pre_call3](Counter_state(c, lvl, x))) && acc(Counter_G(c), write) && ret == old[pre_call3](Counter_state(c, lvl, x)) // ------- call:read02 END --------- // ------- Stabilising regions Counter,SeqCounter,ParCounter (after call:read02@80.3) BEGIN label pre_stabilize9 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(10, $c, $lvl, $x)) } none < old[pre_stabilize9](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(10, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize9](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize9](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize9](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(10, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize9](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(10, $c, $lvl, $x) == old[pre_stabilize9](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(10, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize9](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(10, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize9](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize9](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize9](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(10, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize9](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(10, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize9](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(10, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize9](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(10, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize9](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize9](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize9](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(10, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize9](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(10, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize9](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after call:read02@80.3) END } method read02_client02(c: Ref, lvl: Int, x: Ref) returns (ret: Int) requires acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) ensures ret == old(Counter_state(c, lvl, x)) ensures acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == old(Counter_state(c, lvl, x))) && acc(Counter_G(c), write) { var $_levelVar_10: Int inhale $_levelVar_10 >= 0 && $_levelVar_10 > lvl assert $_levelVar_10 >= 0 inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer4 // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(11, $c, $lvl, $x)) } none < old[pre_infer4](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(11, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer4](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer4](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer4](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(11, $c, $lvl, $x) == old[pre_infer4](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(11, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer4](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(11, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer4](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer4](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer4](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(11, $k, $alvl, $c, $lvl, $x) == old[pre_infer4](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(11, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer4](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(11, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer4](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer4](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer4](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(11, $k, $alvl, $c, $lvl, $x) == old[pre_infer4](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // ------- call:read02 BEGIN ------- assert (forall $_m: Int :: { ($_m in Counter_interferenceSet_hf(11, c, lvl, x)) } ($_m in Counter_interferenceSet_hf(11, c, lvl, x)) ==> ($_m in Set(Counter_interferenceReference_hf(11, c, lvl, x)))) label pre_call4 assert $_levelVar_10 >= 0 && $_levelVar_10 > lvl assert true exhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && acc(Counter_G(c), write) && (Counter_state(c, lvl, x) in Set(Counter_state(c, lvl, x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read02@90.3) BEGIN label pre_stabilize10 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize10](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize10](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize10](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize10](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize10](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize10](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize10](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize10](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize10](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read02@90.3) END ret := havoc_Int() inhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == old[pre_call4](Counter_state(c, lvl, x))) && acc(Counter_G(c), write) && ret == old[pre_call4](Counter_state(c, lvl, x)) // ------- call:read02 END --------- // ------- Stabilising regions Counter,SeqCounter,ParCounter (after call:read02@90.3) BEGIN label pre_stabilize11 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(12, $c, $lvl, $x)) } none < old[pre_stabilize11](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(12, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize11](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize11](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize11](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(12, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize11](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(12, $c, $lvl, $x) == old[pre_stabilize11](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(12, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize11](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(12, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize11](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize11](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize11](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(12, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize11](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(12, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize11](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(12, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize11](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(12, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize11](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize11](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize11](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(12, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize11](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(12, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize11](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after call:read02@90.3) END } method read02_client03(c: Ref, lvl: Int, x: Ref) returns (ret: Int) requires acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) { var $_levelVar_11: Int inhale $_levelVar_11 >= 0 && $_levelVar_11 > lvl assert $_levelVar_11 >= 0 inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer5 // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(13, $c, $lvl, $x)) } none < old[pre_infer5](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(13, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer5](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer5](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer5](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(13, $c, $lvl, $x) == old[pre_infer5](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(13, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer5](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(13, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer5](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer5](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer5](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(13, $k, $alvl, $c, $lvl, $x) == old[pre_infer5](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(13, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer5](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(13, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer5](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer5](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer5](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(13, $k, $alvl, $c, $lvl, $x) == old[pre_infer5](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // skip; // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@96.3) BEGIN label pre_stabilize12 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(14, $c, $lvl, $x)) } none < old[pre_stabilize12](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(14, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize12](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize12](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize12](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(14, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize12](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(14, $c, $lvl, $x) == old[pre_stabilize12](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(14, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize12](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(14, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize12](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize12](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize12](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(14, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize12](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(14, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize12](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(14, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize12](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(14, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize12](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize12](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize12](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(14, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize12](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(14, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize12](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@96.3) END // ------- call:read02 BEGIN ------- assert (forall $_m: Int :: { ($_m in Counter_interferenceSet_hf(14, c, lvl, x)) } ($_m in Counter_interferenceSet_hf(14, c, lvl, x)) ==> ($_m in Set(Counter_interferenceReference_hf(14, c, lvl, x)))) label pre_call5 assert $_levelVar_11 >= 0 && $_levelVar_11 > lvl assert true exhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && acc(Counter_G(c), write) && (Counter_state(c, lvl, x) in Set(Counter_state(c, lvl, x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read02@98.3) BEGIN label pre_stabilize13 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize13](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize13](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize13](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize13](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize13](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize13](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize13](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize13](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize13](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read02@98.3) END ret := havoc_Int() inhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == old[pre_call5](Counter_state(c, lvl, x))) && acc(Counter_G(c), write) && ret == old[pre_call5](Counter_state(c, lvl, x)) // ------- call:read02 END --------- // ------- Stabilising regions Counter,SeqCounter,ParCounter (after call:read02@98.3) BEGIN label pre_stabilize14 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(15, $c, $lvl, $x)) } none < old[pre_stabilize14](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(15, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize14](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize14](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize14](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(15, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize14](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(15, $c, $lvl, $x) == old[pre_stabilize14](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(15, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize14](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(15, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize14](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize14](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize14](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(15, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize14](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(15, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize14](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(15, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize14](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(15, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize14](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize14](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize14](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(15, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize14](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(15, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize14](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after call:read02@98.3) END } method read01_seqclient01(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref) returns (ret: Int) requires acc(SeqCounter(k, alvl, c, lvl, x), write) && (alvl >= 0 && true) && acc(SeqCounter_S(k), write) ensures acc(SeqCounter(k, alvl, c, lvl, x), write) && (alvl >= 0 && true) && acc(SeqCounter_S(k), write) { var $_levelVar_12: Int var $_levelVar_13: Int var $_levelVar_14: Int inhale $_levelVar_12 >= 0 && $_levelVar_12 > alvl assert $_levelVar_12 >= 0 inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer6 // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(16, $c, $lvl, $x)) } none < old[pre_infer6](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(16, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer6](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer6](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer6](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(16, $c, $lvl, $x) == old[pre_infer6](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(16, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer6](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(16, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer6](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer6](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer6](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(16, $k, $alvl, $c, $lvl, $x) == old[pre_infer6](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(16, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer6](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(16, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer6](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer6](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer6](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(16, $k, $alvl, $c, $lvl, $x) == old[pre_infer6](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // skip; // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@130.3) BEGIN label pre_stabilize15 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(17, $c, $lvl, $x)) } none < old[pre_stabilize15](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(17, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize15](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize15](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize15](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(17, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize15](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(17, $c, $lvl, $x) == old[pre_stabilize15](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(17, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize15](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(17, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize15](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize15](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize15](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(17, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize15](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(17, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize15](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(17, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize15](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(17, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize15](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize15](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize15](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(17, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize15](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(17, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize15](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@130.3) END // skip; // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@131.3) BEGIN label pre_stabilize16 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(18, $c, $lvl, $x)) } none < old[pre_stabilize16](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(18, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize16](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize16](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize16](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(18, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize16](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(18, $c, $lvl, $x) == old[pre_stabilize16](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(18, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize16](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(18, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize16](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize16](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize16](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(18, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize16](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(18, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize16](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(18, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize16](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(18, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize16](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize16](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize16](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(18, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize16](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(18, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize16](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@131.3) END // ------- use-atomic BEGIN -------- label pre_use_atomic0 assert perm(SeqCounter_atomicity_context_fp(k, alvl, c, lvl, x)) == none assert $_levelVar_12 > alvl $_levelVar_13 := alvl exhale acc(SeqCounter_S(k), write) // ------- Stabilising regions Counter,ParCounter (before use-atomic@133.3) BEGIN label pre_stabilize18 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize18](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize18](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize18](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize18](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize18](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize18](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,ParCounter (before use-atomic@133.3) END unfold acc(SeqCounter(k, alvl, c, lvl, x), write) label transitionPre2 ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() inhale (forall $_m0: Int :: { ($_m0 in Counter_interferenceSet_df(18, c, lvl, x)) } ($_m0 in SeqCounter_interferenceSet_hf(18, k, alvl, c, lvl, x)) == ($_m0 in Counter_interferenceSet_hf(18, c, lvl, x))) // havoc performed by other front resource inhale true ==> Counter_interferenceReference_hf(18, c, lvl, x) == old[transitionPre2](Counter_state(c, lvl, x)) // ------- Stabilising regions SeqCounter (before use-atomic@133.3) BEGIN label pre_stabilize19 // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize19](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize19](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize19](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // ------- Stabilising regions SeqCounter (before use-atomic@133.3) END inhale acc(SeqCounter_S(k), write) // ------- call:read01 BEGIN ------- assert (forall $_m: Int :: { ($_m in Counter_interferenceSet_hf(18, c, lvl, x)) } ($_m in Counter_interferenceSet_hf(18, c, lvl, x)) ==> ($_m in IntSet())) label pre_call6 assert $_levelVar_13 >= 0 && $_levelVar_13 > lvl assert true exhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && acc(Counter_G(c), write) && (Counter_state(c, lvl, x) in IntSet()) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read01@136.5) BEGIN label pre_stabilize17 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize17](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize17](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize17](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize17](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize17](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize17](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize17](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize17](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize17](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read01@136.5) END ret := havoc_Int() inhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == old[pre_call6](Counter_state(c, lvl, x))) && acc(Counter_G(c), write) && ret == old[pre_call6](Counter_state(c, lvl, x)) // ------- call:read01 END --------- fold acc(SeqCounter(k, alvl, c, lvl, x), write) assert true $_levelVar_14 := $_levelVar_12 // ------- use-atomic END ---------- // ------- Stabilising regions Counter,SeqCounter,ParCounter (after use-atomic@133.3) BEGIN label pre_stabilize20 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(19, $c, $lvl, $x)) } none < old[pre_stabilize20](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(19, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize20](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize20](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize20](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(19, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize20](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(19, $c, $lvl, $x) == old[pre_stabilize20](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(19, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize20](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(19, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize20](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize20](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize20](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(19, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize20](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(19, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize20](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(19, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize20](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(19, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize20](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize20](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize20](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(19, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize20](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(19, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize20](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after use-atomic@133.3) END } method read01_parclient01(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref) returns (ret: Int) requires acc(ParCounter(k, alvl, c, lvl, x), write) && (alvl >= 0 && true) && acc(ParCounter_P(k), write) ensures acc(ParCounter(k, alvl, c, lvl, x), write) && (alvl >= 0 && true) && acc(ParCounter_P(k), write) { var $_levelVar_15: Int var $_levelVar_16: Int var $_levelVar_17: Int inhale $_levelVar_15 >= 0 && $_levelVar_15 > alvl assert $_levelVar_15 >= 0 inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer7 // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(20, $c, $lvl, $x)) } none < old[pre_infer7](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(20, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer7](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer7](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer7](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(20, $c, $lvl, $x) == old[pre_infer7](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(20, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer7](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(20, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer7](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer7](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer7](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(20, $k, $alvl, $c, $lvl, $x) == old[pre_infer7](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(20, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer7](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(20, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer7](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer7](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer7](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(20, $k, $alvl, $c, $lvl, $x) == old[pre_infer7](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // skip; // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@144.3) BEGIN label pre_stabilize21 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(21, $c, $lvl, $x)) } none < old[pre_stabilize21](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(21, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize21](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize21](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize21](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(21, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize21](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(21, $c, $lvl, $x) == old[pre_stabilize21](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(21, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize21](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(21, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize21](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize21](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize21](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(21, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize21](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(21, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize21](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(21, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize21](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(21, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize21](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize21](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize21](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(21, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize21](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(21, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize21](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@144.3) END // skip; // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@145.3) BEGIN label pre_stabilize22 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(22, $c, $lvl, $x)) } none < old[pre_stabilize22](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(22, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize22](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize22](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize22](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(22, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize22](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(22, $c, $lvl, $x) == old[pre_stabilize22](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(22, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize22](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(22, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize22](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize22](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize22](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(22, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize22](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(22, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize22](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(22, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize22](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(22, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize22](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize22](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize22](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(22, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize22](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(22, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize22](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@145.3) END // ------- use-atomic BEGIN -------- label pre_use_atomic assert perm(ParCounter_atomicity_context_fp(k, alvl, c, lvl, x)) == none assert $_levelVar_15 > alvl $_levelVar_16 := alvl exhale acc(ParCounter_P(k), write) // ------- Stabilising regions Counter,SeqCounter (before use-atomic@147.3) BEGIN label pre_stabilize24 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize24](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize24](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize24](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize24](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize24](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize24](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // ------- Stabilising regions Counter,SeqCounter (before use-atomic@147.3) END unfold acc(ParCounter(k, alvl, c, lvl, x), write) label transitionPre3 ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() inhale (forall $_m0: Int :: { ($_m0 in Counter_interferenceSet_df(22, c, lvl, x)) } ($_m0 in ParCounter_interferenceSet_hf(22, k, alvl, c, lvl, x)) == ($_m0 in Counter_interferenceSet_hf(22, c, lvl, x))) // havoc performed by other front resource inhale true ==> Counter_interferenceReference_hf(22, c, lvl, x) == old[transitionPre3](Counter_state(c, lvl, x)) // ------- Stabilising regions ParCounter (before use-atomic@147.3) BEGIN label pre_stabilize25 // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize25](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize25](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize25](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions ParCounter (before use-atomic@147.3) END inhale acc(ParCounter_P(k), write) // ------- call:read01 BEGIN ------- assert (forall $_m: Int :: { ($_m in Counter_interferenceSet_hf(22, c, lvl, x)) } ($_m in Counter_interferenceSet_hf(22, c, lvl, x)) ==> ($_m in IntSet())) label pre_call7 assert $_levelVar_16 >= 0 && $_levelVar_16 > lvl assert true exhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && acc(Counter_G(c), write) && (Counter_state(c, lvl, x) in IntSet()) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read01@150.5) BEGIN label pre_stabilize23 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize23](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize23](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize23](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize23](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize23](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize23](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize23](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize23](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize23](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read01@150.5) END ret := havoc_Int() inhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == old[pre_call7](Counter_state(c, lvl, x))) && acc(Counter_G(c), write) && ret == old[pre_call7](Counter_state(c, lvl, x)) // ------- call:read01 END --------- fold acc(ParCounter(k, alvl, c, lvl, x), write) assert true $_levelVar_17 := $_levelVar_15 // ------- use-atomic END ---------- // ------- Stabilising regions Counter,SeqCounter,ParCounter (after use-atomic@147.3) BEGIN label pre_stabilize26 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(23, $c, $lvl, $x)) } none < old[pre_stabilize26](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(23, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize26](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize26](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize26](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(23, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize26](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(23, $c, $lvl, $x) == old[pre_stabilize26](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(23, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize26](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(23, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize26](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize26](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize26](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(23, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize26](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(23, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize26](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(23, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize26](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(23, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize26](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize26](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize26](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(23, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize26](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(23, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize26](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after use-atomic@147.3) END } method read02_seqclient01(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref) returns (ret: Int) requires acc(SeqCounter(k, alvl, c, lvl, x), write) && (alvl >= 0 && true) && acc(SeqCounter_S(k), write) ensures acc(SeqCounter(k, alvl, c, lvl, x), write) && (alvl >= 0 && true) && acc(SeqCounter_S(k), write) { var $_levelVar_18: Int var $_levelVar_19: Int var $_levelVar_20: Int inhale $_levelVar_18 >= 0 && $_levelVar_18 > alvl assert $_levelVar_18 >= 0 inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer8 // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(24, $c, $lvl, $x)) } none < old[pre_infer8](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(24, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer8](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer8](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer8](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(24, $c, $lvl, $x) == old[pre_infer8](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(24, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer8](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(24, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer8](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer8](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer8](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(24, $k, $alvl, $c, $lvl, $x) == old[pre_infer8](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(24, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer8](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(24, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer8](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer8](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer8](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(24, $k, $alvl, $c, $lvl, $x) == old[pre_infer8](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // skip; // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@158.3) BEGIN label pre_stabilize27 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(25, $c, $lvl, $x)) } none < old[pre_stabilize27](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(25, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize27](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize27](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize27](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(25, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize27](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(25, $c, $lvl, $x) == old[pre_stabilize27](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(25, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize27](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(25, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize27](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize27](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize27](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(25, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize27](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(25, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize27](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(25, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize27](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(25, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize27](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize27](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize27](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(25, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize27](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(25, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize27](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@158.3) END // skip; // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@159.3) BEGIN label pre_stabilize28 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(26, $c, $lvl, $x)) } none < old[pre_stabilize28](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(26, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize28](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize28](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize28](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(26, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize28](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(26, $c, $lvl, $x) == old[pre_stabilize28](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(26, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize28](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(26, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize28](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize28](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize28](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(26, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize28](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(26, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize28](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(26, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize28](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(26, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize28](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize28](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize28](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(26, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize28](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(26, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize28](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@159.3) END // ------- use-atomic BEGIN -------- label pre_use_atomic2 assert perm(SeqCounter_atomicity_context_fp(k, alvl, c, lvl, x)) == none assert $_levelVar_18 > alvl $_levelVar_19 := alvl exhale acc(SeqCounter_S(k), write) // ------- Stabilising regions Counter,ParCounter (before use-atomic@161.3) BEGIN label pre_stabilize30 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize30](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize30](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize30](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize30](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize30](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize30](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,ParCounter (before use-atomic@161.3) END unfold acc(SeqCounter(k, alvl, c, lvl, x), write) label transitionPre4 ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() inhale (forall $_m0: Int :: { ($_m0 in Counter_interferenceSet_df(26, c, lvl, x)) } ($_m0 in SeqCounter_interferenceSet_hf(26, k, alvl, c, lvl, x)) == ($_m0 in Counter_interferenceSet_hf(26, c, lvl, x))) // havoc performed by other front resource inhale true ==> Counter_interferenceReference_hf(26, c, lvl, x) == old[transitionPre4](Counter_state(c, lvl, x)) // ------- Stabilising regions SeqCounter (before use-atomic@161.3) BEGIN label pre_stabilize31 // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize31](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize31](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize31](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // ------- Stabilising regions SeqCounter (before use-atomic@161.3) END inhale acc(SeqCounter_S(k), write) // ------- call:read02 BEGIN ------- assert (forall $_m: Int :: { ($_m in Counter_interferenceSet_hf(26, c, lvl, x)) } ($_m in Counter_interferenceSet_hf(26, c, lvl, x)) ==> ($_m in Set(Counter_interferenceReference_hf(26, c, lvl, x)))) label pre_call8 assert $_levelVar_19 >= 0 && $_levelVar_19 > lvl assert true exhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && acc(Counter_G(c), write) && (Counter_state(c, lvl, x) in Set(Counter_state(c, lvl, x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read02@164.5) BEGIN label pre_stabilize29 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize29](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize29](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize29](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize29](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize29](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize29](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize29](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize29](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize29](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read02@164.5) END ret := havoc_Int() inhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == old[pre_call8](Counter_state(c, lvl, x))) && acc(Counter_G(c), write) && ret == old[pre_call8](Counter_state(c, lvl, x)) // ------- call:read02 END --------- fold acc(SeqCounter(k, alvl, c, lvl, x), write) assert true $_levelVar_20 := $_levelVar_18 // ------- use-atomic END ---------- // ------- Stabilising regions Counter,SeqCounter,ParCounter (after use-atomic@161.3) BEGIN label pre_stabilize32 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(27, $c, $lvl, $x)) } none < old[pre_stabilize32](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(27, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize32](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize32](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize32](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(27, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize32](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(27, $c, $lvl, $x) == old[pre_stabilize32](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(27, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize32](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(27, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize32](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize32](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize32](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(27, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize32](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(27, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize32](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(27, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize32](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(27, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize32](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize32](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize32](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(27, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize32](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(27, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize32](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after use-atomic@161.3) END } method read02_parclient01(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref) returns (ret: Int) requires acc(ParCounter(k, alvl, c, lvl, x), write) && (alvl >= 0 && true) && acc(ParCounter_P(k), write) ensures acc(ParCounter(k, alvl, c, lvl, x), write) && (alvl >= 0 && true) && acc(ParCounter_P(k), write) { var $_levelVar_21: Int var $_levelVar_22: Int var $_levelVar_23: Int inhale $_levelVar_21 >= 0 && $_levelVar_21 > alvl assert $_levelVar_21 >= 0 inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer9 // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(28, $c, $lvl, $x)) } none < old[pre_infer9](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(28, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer9](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer9](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer9](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(28, $c, $lvl, $x) == old[pre_infer9](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(28, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer9](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(28, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer9](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer9](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer9](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(28, $k, $alvl, $c, $lvl, $x) == old[pre_infer9](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(28, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer9](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(28, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer9](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer9](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer9](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(28, $k, $alvl, $c, $lvl, $x) == old[pre_infer9](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // skip; // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@172.3) BEGIN label pre_stabilize33 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(29, $c, $lvl, $x)) } none < old[pre_stabilize33](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(29, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize33](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize33](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize33](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(29, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize33](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(29, $c, $lvl, $x) == old[pre_stabilize33](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(29, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize33](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(29, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize33](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize33](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize33](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(29, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize33](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(29, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize33](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(29, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize33](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(29, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize33](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize33](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize33](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(29, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize33](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(29, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize33](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@172.3) END // skip; // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@173.3) BEGIN label pre_stabilize34 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(30, $c, $lvl, $x)) } none < old[pre_stabilize34](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(30, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize34](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize34](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize34](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(30, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize34](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(30, $c, $lvl, $x) == old[pre_stabilize34](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(30, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize34](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(30, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize34](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize34](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize34](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(30, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize34](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(30, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize34](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(30, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize34](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(30, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize34](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize34](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize34](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(30, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize34](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(30, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize34](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after skip@173.3) END // ------- use-atomic BEGIN -------- label pre_use_atomic3 assert perm(ParCounter_atomicity_context_fp(k, alvl, c, lvl, x)) == none assert $_levelVar_21 > alvl $_levelVar_22 := alvl exhale acc(ParCounter_P(k), write) // ------- Stabilising regions Counter,SeqCounter (before use-atomic@175.3) BEGIN label pre_stabilize36 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize36](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize36](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize36](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize36](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize36](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize36](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // ------- Stabilising regions Counter,SeqCounter (before use-atomic@175.3) END unfold acc(ParCounter(k, alvl, c, lvl, x), write) label transitionPre5 ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() inhale (forall $_m0: Int :: { ($_m0 in Counter_interferenceSet_df(30, c, lvl, x)) } ($_m0 in ParCounter_interferenceSet_hf(30, k, alvl, c, lvl, x)) == ($_m0 in Counter_interferenceSet_hf(30, c, lvl, x))) // havoc performed by other front resource inhale true ==> Counter_interferenceReference_hf(30, c, lvl, x) == old[transitionPre5](Counter_state(c, lvl, x)) // ------- Stabilising regions ParCounter (before use-atomic@175.3) BEGIN label pre_stabilize37 // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize37](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize37](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize37](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions ParCounter (before use-atomic@175.3) END inhale acc(ParCounter_P(k), write) // ------- call:read02 BEGIN ------- assert (forall $_m: Int :: { ($_m in Counter_interferenceSet_hf(30, c, lvl, x)) } ($_m in Counter_interferenceSet_hf(30, c, lvl, x)) ==> ($_m in Set(Counter_interferenceReference_hf(30, c, lvl, x)))) label pre_call9 assert $_levelVar_22 >= 0 && $_levelVar_22 > lvl assert true exhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && acc(Counter_G(c), write) && (Counter_state(c, lvl, x) in Set(Counter_state(c, lvl, x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read02@179.5) BEGIN label pre_stabilize35 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize35](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize35](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize35](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize35](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize35](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize35](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize35](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize35](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize35](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (before call:read02@179.5) END ret := havoc_Int() inhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == old[pre_call9](Counter_state(c, lvl, x))) && acc(Counter_G(c), write) && ret == old[pre_call9](Counter_state(c, lvl, x)) // ------- call:read02 END --------- fold acc(ParCounter(k, alvl, c, lvl, x), write) assert true $_levelVar_23 := $_levelVar_21 // ------- use-atomic END ---------- // ------- Stabilising regions Counter,SeqCounter,ParCounter (after use-atomic@175.3) BEGIN label pre_stabilize38 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(31, $c, $lvl, $x)) } none < old[pre_stabilize38](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(31, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_stabilize38](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize38](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_Counter() inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize38](perm(Counter($c, $lvl, $x))) ==> (Counter_state($c, $lvl, $x) in Counter_interferenceSet_hf(31, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize38](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(31, $c, $lvl, $x) == old[pre_stabilize38](Counter_state($c, $lvl, $x))) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(31, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize38](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(31, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize38](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize38](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) ___silicon_hack407_havoc_all_SeqCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize38](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_interferenceSet_hf(31, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize38](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(31, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize38](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(31, $k, $alvl, $c, $lvl, $x)) } none < old[pre_stabilize38](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(31, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_stabilize38](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize38](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) ___silicon_hack407_havoc_all_ParCounter() inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize38](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_interferenceSet_hf(31, $k, $alvl, $c, $lvl, $x))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize38](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(31, $k, $alvl, $c, $lvl, $x) == old[pre_stabilize38](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Stabilising regions Counter,SeqCounter,ParCounter (after use-atomic@175.3) END } method $_Counter_interpretation_stability_check(c: Ref, lvl: Int, x: Ref) { inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale acc(x.$memcell_$f, write) && true // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of region interpretation) BEGIN label pre_stabilize39 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize39](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize39](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize39](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize39](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize39](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize39](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize39](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize39](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize39](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of region interpretation) END assert acc(x.$memcell_$f, write) && true } method $_Counter_action_transitivity_check() { var G: Bool var $_action_n_0_x: Int var $_action_m_0_x: Int var $_action_n_0_y: Int var $_action_m_0_y: Int var aState: Int var bState: Int var cState: Int inhale aState == bState || $_action_n_0_x == aState && $_action_m_0_x == bState && true && G inhale bState == cState || $_action_n_0_y == bState && $_action_m_0_y == cState && true && G assert aState == cState || aState == aState && cState == cState && true && G } method $_SeqCounter_interpretation_stability_check(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref) { inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) && lvl < alvl // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of region interpretation) BEGIN label pre_stabilize40 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize40](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize40](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize40](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize40](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize40](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize40](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize40](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize40](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize40](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of region interpretation) END assert acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) && lvl < alvl } method $_SeqCounter_action_transitivity_check() { var S: Bool var $_action_n_0_x: Int var $_action_m_0_x: Int var $_action_n_0_y: Int var $_action_m_0_y: Int var aState: Int var bState: Int var cState: Int inhale aState == bState || $_action_n_0_x == aState && $_action_m_0_x == bState && true && S inhale bState == cState || $_action_n_0_y == bState && $_action_m_0_y == cState && true && S assert aState == cState || aState == aState && cState == cState && true && S } method $_ParCounter_interpretation_stability_check(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref) { inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) && lvl < alvl // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of region interpretation) BEGIN label pre_stabilize41 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize41](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize41](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize41](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize41](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize41](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize41](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize41](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize41](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize41](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of region interpretation) END assert acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) && lvl < alvl } method $_ParCounter_action_transitivity_check() { var P: Bool var $_action_n_0_x: Int var $_action_m_0_x: Int var $_action_n_0_y: Int var $_action_m_0_y: Int var aState: Int var bState: Int var cState: Int inhale aState == bState || $_action_n_0_x == aState && $_action_m_0_x == bState && true && P inhale bState == cState || $_action_n_0_y == bState && $_action_m_0_y == cState && true && P assert aState == cState || aState == aState && cState == cState && true && P } method $_read01_condition_stability_precondition_check(c: Ref, lvl: Int, x: Ref, ret: Int) requires acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && acc(Counter_G(c), write) { var $_levelVar_24: Int inhale $_levelVar_24 >= 0 && $_levelVar_24 > lvl inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale Counter_interferenceSet_hf(31, c, lvl, x) == IntSet() inhale Counter_interferenceReference_hf(31, c, lvl, x) == old(Counter_state(c, lvl, x)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) BEGIN label pre_stabilize42 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize42](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize42](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize42](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize42](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize42](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize42](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize42](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize42](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize42](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) END assert acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && acc(Counter_G(c), write) } method $_read02_condition_stability_precondition_check(c: Ref, lvl: Int, x: Ref, ret: Int) requires acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && acc(Counter_G(c), write) { var $_levelVar_25: Int inhale $_levelVar_25 >= 0 && $_levelVar_25 > lvl inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale Counter_interferenceSet_hf(31, c, lvl, x) == Set(Counter_state(c, lvl, x)) inhale Counter_interferenceReference_hf(31, c, lvl, x) == old(Counter_state(c, lvl, x)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) BEGIN label pre_stabilize43 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize43](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize43](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize43](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize43](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize43](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize43](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize43](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize43](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize43](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) END assert acc(Counter(c, lvl, x), write) && (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && acc(Counter_G(c), write) } method $_read01_client01_condition_stability_precondition_check(c: Ref, lvl: Int, x: Ref, ret: Int) requires acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) { var $_levelVar_26: Int inhale $_levelVar_26 >= 0 && $_levelVar_26 > lvl inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer10 // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(32, $c, $lvl, $x)) } none < old[pre_infer10](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(32, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer10](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer10](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer10](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(32, $c, $lvl, $x) == old[pre_infer10](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(32, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer10](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(32, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer10](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer10](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer10](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(32, $k, $alvl, $c, $lvl, $x) == old[pre_infer10](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(32, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer10](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(32, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer10](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer10](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer10](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(32, $k, $alvl, $c, $lvl, $x) == old[pre_infer10](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) BEGIN label pre_stabilize44 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize44](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize44](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize44](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize44](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize44](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize44](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize44](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize44](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize44](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) END assert acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) } method $_read01_client02_condition_stability_precondition_check(c: Ref, lvl: Int, x: Ref, ret: Int) requires acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) { var $_levelVar_27: Int inhale $_levelVar_27 >= 0 && $_levelVar_27 > lvl inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer11 // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(33, $c, $lvl, $x)) } none < old[pre_infer11](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(33, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer11](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer11](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer11](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(33, $c, $lvl, $x) == old[pre_infer11](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(33, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer11](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(33, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer11](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer11](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer11](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(33, $k, $alvl, $c, $lvl, $x) == old[pre_infer11](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(33, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer11](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(33, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer11](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer11](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer11](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(33, $k, $alvl, $c, $lvl, $x) == old[pre_infer11](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) BEGIN label pre_stabilize45 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize45](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize45](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize45](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize45](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize45](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize45](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize45](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize45](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize45](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) END assert acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) } method $_read01_client03_condition_stability_precondition_check(c: Ref, lvl: Int, x: Ref, ret: Int) requires acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) { var $_levelVar_28: Int var v: Int inhale $_levelVar_28 >= 0 && $_levelVar_28 > lvl inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer12 // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(34, $c, $lvl, $x)) } none < old[pre_infer12](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(34, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer12](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer12](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer12](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(34, $c, $lvl, $x) == old[pre_infer12](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(34, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer12](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(34, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer12](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer12](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer12](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(34, $k, $alvl, $c, $lvl, $x) == old[pre_infer12](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(34, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer12](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(34, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer12](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer12](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer12](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(34, $k, $alvl, $c, $lvl, $x) == old[pre_infer12](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) BEGIN label pre_stabilize46 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize46](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize46](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize46](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize46](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize46](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize46](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize46](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize46](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize46](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) END assert acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) } method $_read02_client01_condition_stability_precondition_check(c: Ref, lvl: Int, x: Ref, ret: Int) requires acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) { var $_levelVar_29: Int inhale $_levelVar_29 >= 0 && $_levelVar_29 > lvl inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer13 // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(35, $c, $lvl, $x)) } none < old[pre_infer13](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(35, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer13](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer13](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer13](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(35, $c, $lvl, $x) == old[pre_infer13](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(35, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer13](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(35, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer13](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer13](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer13](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(35, $k, $alvl, $c, $lvl, $x) == old[pre_infer13](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(35, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer13](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(35, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer13](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer13](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer13](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(35, $k, $alvl, $c, $lvl, $x) == old[pre_infer13](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) BEGIN label pre_stabilize47 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize47](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize47](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize47](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize47](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize47](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize47](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize47](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize47](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize47](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) END assert acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) } method $_read02_client02_condition_stability_precondition_check(c: Ref, lvl: Int, x: Ref, ret: Int) requires acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) { var $_levelVar_30: Int inhale $_levelVar_30 >= 0 && $_levelVar_30 > lvl inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer14 // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(36, $c, $lvl, $x)) } none < old[pre_infer14](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(36, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer14](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer14](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer14](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(36, $c, $lvl, $x) == old[pre_infer14](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(36, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer14](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(36, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer14](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer14](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer14](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(36, $k, $alvl, $c, $lvl, $x) == old[pre_infer14](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(36, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer14](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(36, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer14](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer14](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer14](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(36, $k, $alvl, $c, $lvl, $x) == old[pre_infer14](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) BEGIN label pre_stabilize48 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize48](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize48](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize48](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize48](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize48](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize48](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize48](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize48](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize48](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) END assert acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) } method $_read02_client03_condition_stability_precondition_check(c: Ref, lvl: Int, x: Ref, ret: Int) requires acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) { var $_levelVar_31: Int inhale $_levelVar_31 >= 0 && $_levelVar_31 > lvl inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer15 // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(37, $c, $lvl, $x)) } none < old[pre_infer15](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(37, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer15](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer15](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer15](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(37, $c, $lvl, $x) == old[pre_infer15](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(37, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer15](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(37, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer15](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer15](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer15](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(37, $k, $alvl, $c, $lvl, $x) == old[pre_infer15](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(37, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer15](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(37, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer15](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer15](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer15](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(37, $k, $alvl, $c, $lvl, $x) == old[pre_infer15](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) BEGIN label pre_stabilize49 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize49](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize49](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize49](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize49](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize49](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize49](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize49](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize49](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize49](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) END assert acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) && acc(Counter_G(c), write) } method $_read01_seqclient01_condition_stability_precondition_check(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref, ret: Int) requires acc(SeqCounter(k, alvl, c, lvl, x), write) && (alvl >= 0 && true) && acc(SeqCounter_S(k), write) { var $_levelVar_32: Int inhale $_levelVar_32 >= 0 && $_levelVar_32 > alvl inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer16 // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(38, $c, $lvl, $x)) } none < old[pre_infer16](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(38, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer16](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer16](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer16](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(38, $c, $lvl, $x) == old[pre_infer16](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(38, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer16](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(38, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer16](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer16](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer16](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(38, $k, $alvl, $c, $lvl, $x) == old[pre_infer16](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(38, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer16](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(38, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer16](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer16](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer16](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(38, $k, $alvl, $c, $lvl, $x) == old[pre_infer16](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) BEGIN label pre_stabilize50 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize50](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize50](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize50](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize50](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize50](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize50](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize50](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize50](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize50](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) END assert acc(SeqCounter(k, alvl, c, lvl, x), write) && (alvl >= 0 && true) && acc(SeqCounter_S(k), write) } method $_read01_parclient01_condition_stability_precondition_check(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref, ret: Int) requires acc(ParCounter(k, alvl, c, lvl, x), write) && (alvl >= 0 && true) && acc(ParCounter_P(k), write) { var $_levelVar_33: Int inhale $_levelVar_33 >= 0 && $_levelVar_33 > alvl inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer17 // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(39, $c, $lvl, $x)) } none < old[pre_infer17](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(39, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer17](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer17](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer17](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(39, $c, $lvl, $x) == old[pre_infer17](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(39, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer17](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(39, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer17](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer17](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer17](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(39, $k, $alvl, $c, $lvl, $x) == old[pre_infer17](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(39, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer17](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(39, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer17](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer17](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer17](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(39, $k, $alvl, $c, $lvl, $x) == old[pre_infer17](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) BEGIN label pre_stabilize51 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize51](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize51](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize51](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize51](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize51](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize51](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize51](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize51](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize51](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) END assert acc(ParCounter(k, alvl, c, lvl, x), write) && (alvl >= 0 && true) && acc(ParCounter_P(k), write) } method $_read02_seqclient01_condition_stability_precondition_check(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref, ret: Int) requires acc(SeqCounter(k, alvl, c, lvl, x), write) && (alvl >= 0 && true) && acc(SeqCounter_S(k), write) { var $_levelVar_34: Int inhale $_levelVar_34 >= 0 && $_levelVar_34 > alvl inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer18 // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(40, $c, $lvl, $x)) } none < old[pre_infer18](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(40, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer18](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer18](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer18](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(40, $c, $lvl, $x) == old[pre_infer18](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(40, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer18](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(40, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer18](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer18](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer18](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(40, $k, $alvl, $c, $lvl, $x) == old[pre_infer18](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(40, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer18](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(40, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer18](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer18](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer18](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(40, $k, $alvl, $c, $lvl, $x) == old[pre_infer18](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) BEGIN label pre_stabilize52 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize52](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize52](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize52](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize52](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize52](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize52](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize52](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize52](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize52](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) END assert acc(SeqCounter(k, alvl, c, lvl, x), write) && (alvl >= 0 && true) && acc(SeqCounter_S(k), write) } method $_read02_parclient01_condition_stability_precondition_check(k: Ref, alvl: Int, c: Ref, lvl: Int, x: Ref, ret: Int) requires acc(ParCounter(k, alvl, c, lvl, x), write) && (alvl >= 0 && true) && acc(ParCounter_P(k), write) { var $_levelVar_35: Int inhale $_levelVar_35 >= 0 && $_levelVar_35 > alvl inhale acc(Counter_sk_fp(), write) && acc(SeqCounter_sk_fp(), write) && acc(ParCounter_sk_fp(), write) // no init required // no init required // no init required inhale (forall $c: Ref, $lvl: Int, $x: Ref :: acc(Counter_interferenceContext_fp($c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(SeqCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) inhale (forall $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref :: acc(ParCounter_interferenceContext_fp($k, $alvl, $c, $lvl, $x), write)) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) BEGIN label pre_infer19 // Inferring interference all instances of region Counter ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in Counter_interferenceSet_df(41, $c, $lvl, $x)) } none < old[pre_infer19](perm(Counter($c, $lvl, $x))) ==> ($$_m in Counter_interferenceSet_hf(41, $c, $lvl, $x)) == ((none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && ($$_m == old[pre_infer19](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_infer19](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_infer19](perm(Counter($c, $lvl, $x))) ==> Counter_interferenceReference_hf(41, $c, $lvl, $x) == old[pre_infer19](Counter_state($c, $lvl, $x))) // Inferring interference all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter_interferenceContext_fp() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in SeqCounter_interferenceSet_df(41, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer19](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in SeqCounter_interferenceSet_hf(41, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer19](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer19](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && perm(SeqCounter_S($k)) == none)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer19](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> SeqCounter_interferenceReference_hf(41, $k, $alvl, $c, $lvl, $x) == old[pre_infer19](SeqCounter_state($k, $alvl, $c, $lvl, $x))) // Inferring interference all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter_interferenceContext_fp() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: (forall $$_m: Int :: { ($$_m in ParCounter_interferenceSet_df(41, $k, $alvl, $c, $lvl, $x)) } none < old[pre_infer19](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ($$_m in ParCounter_interferenceSet_hf(41, $k, $alvl, $c, $lvl, $x)) == ((none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> ($$_m in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && ($$_m == old[pre_infer19](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_infer19](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == $$_m && true && true)))) // havoc performed by other front resource inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_infer19](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> ParCounter_interferenceReference_hf(41, $k, $alvl, $c, $lvl, $x) == old[pre_infer19](ParCounter_state($k, $alvl, $c, $lvl, $x))) // ------- Inferring interference context Counter,SeqCounter,ParCounter (beginning of non atomic procedure) END // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) BEGIN label pre_stabilize53 // Stabilising all instances of region Counter ___silicon_hack407_havoc_all_Counter() exhale acc(Counter_sk_fp(), write) inhale acc(Counter_sk_fp(), write) inhale (forperm $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < old[pre_stabilize53](perm(Counter($c, $lvl, $x))) ==> (none < perm($c.$diamond) && none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> (Counter_state($c, $lvl, $x) in Counter_atomicity_context_hf($c, $lvl, $x))) && (Counter_state($c, $lvl, $x) == old[pre_stabilize53](Counter_state($c, $lvl, $x)) || Counter_sk_$_action_n($c, $lvl, $x) == old[pre_stabilize53](Counter_state($c, $lvl, $x)) && Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && true && true)) // Stabilising all instances of region SeqCounter ___silicon_hack407_havoc_all_SeqCounter() exhale acc(SeqCounter_sk_fp(), write) inhale acc(SeqCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [SeqCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize53](perm(SeqCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(SeqCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (SeqCounter_state($k, $alvl, $c, $lvl, $x) in SeqCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (SeqCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize53](SeqCounter_state($k, $alvl, $c, $lvl, $x)) || SeqCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize53](SeqCounter_state($k, $alvl, $c, $lvl, $x)) && SeqCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == SeqCounter_state($k, $alvl, $c, $lvl, $x) && true && perm(SeqCounter_S($k)) == none)) // Stabilising all instances of region ParCounter ___silicon_hack407_havoc_all_ParCounter() exhale acc(ParCounter_sk_fp(), write) inhale acc(ParCounter_sk_fp(), write) inhale (forperm $k: Ref, $alvl: Int, $c: Ref, $lvl: Int, $x: Ref [ParCounter($k, $alvl, $c, $lvl, $x)] :: none < old[pre_stabilize53](perm(ParCounter($k, $alvl, $c, $lvl, $x))) ==> (none < perm($k.$diamond) && none < perm(ParCounter_atomicity_context_fp($k, $alvl, $c, $lvl, $x)) ==> (ParCounter_state($k, $alvl, $c, $lvl, $x) in ParCounter_atomicity_context_hf($k, $alvl, $c, $lvl, $x))) && (ParCounter_state($k, $alvl, $c, $lvl, $x) == old[pre_stabilize53](ParCounter_state($k, $alvl, $c, $lvl, $x)) || ParCounter_sk_$_action_n($k, $alvl, $c, $lvl, $x) == old[pre_stabilize53](ParCounter_state($k, $alvl, $c, $lvl, $x)) && ParCounter_sk_$_action_m($k, $alvl, $c, $lvl, $x) == ParCounter_state($k, $alvl, $c, $lvl, $x) && true && true)) // ------- Stabilising regions Counter,SeqCounter,ParCounter (check stability of method condition) END assert acc(ParCounter(k, alvl, c, lvl, x), write) && (alvl >= 0 && true) && acc(ParCounter_P(k), write) }