From 25d2856af3283c2d9ae3d6daf2325c59a68dc8c1 Mon Sep 17 00:00:00 2001
From: Igor Tarakanov <igortarakanov@mail.ru>
Date: Fri, 5 Jul 2019 15:50:19 +0300
Subject: [PATCH 01/14] [+] match_string proved

---
 .../whole_program/why3session.xml             | 847 ++++++++++++++++++
 src/match_string.c                            |  60 +-
 src/match_string.h                            |  36 +-
 3 files changed, 891 insertions(+), 52 deletions(-)
 create mode 100644 sessions/match_string.c.av/whole_program/why3session.xml

diff --git a/sessions/match_string.c.av/whole_program/why3session.xml b/sessions/match_string.c.av/whole_program/why3session.xml
new file mode 100644
index 0000000..9ed1dba
--- /dev/null
+++ b/sessions/match_string.c.av/whole_program/why3session.xml
@@ -0,0 +1,847 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
+"http://why3.lri.fr/why3session.dtd">
+<why3session shape_version="4">
+<prover id="0" name="Alt-Ergo" version="2.3.0" timelimit="15" steplimit="0" memlimit="1000"/>
+<prover id="1" name="CVC4" version="1.6" timelimit="15" steplimit="0" memlimit="1000"/>
+<file name="../match_string_c.mlw" expanded="true">
+<theory name="Function_match_string_safety" sum="9368a70fa9c61042bc2cd8f9261dc25c" expanded="true">
+ <goal name="WP_parameter match_string" expl="Function match_string, safety" expanded="true">
+ <proof prover="1"><result status="valid" time="0.23" steps="37502"/></proof>
+ </goal>
+</theory>
+<theory name="Function_match_string_behaviors" sum="389111eebf2aa2f8f8116ae8ac28fd5a" expanded="true">
+ <goal name="WP_parameter match_string_ensures_default" expl="Function match_string, default behavior" expanded="true">
+ <proof prover="1"><result status="valid" time="0.15" steps="38611"/></proof>
+ </goal>
+ <goal name="WP_parameter match_string_ensures_exists" expl="Function match_string, behavior exists" expanded="true">
+ <proof prover="1"><result status="valid" time="0.16" steps="38587"/></proof>
+ </goal>
+ <goal name="WP_parameter match_string_ensures_missing" expl="Function match_string, behavior missing" expanded="true">
+ <proof prover="0"><result status="valid" time="4.12" steps="6811"/></proof>
+ </goal>
+</theory>
+<theory name="Axiomatic_Padding" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int32_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int32_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int64_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int64_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int64_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int64_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int8_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int8_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int8_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int8_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int8_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int8_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint16_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint16_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint16_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint16_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint16_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint16_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint16_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint16_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint32_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint32_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint32_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint32_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint32_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint32_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint32_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint32_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint32_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint32_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint64_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint64_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint64_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint64_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint64_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint64_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint64_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint64_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint64_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint64_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint64_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint64_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint8_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint8_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint8_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint8_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint8_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint8_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint8_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint8_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint8_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint8_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint8_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint8_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint8_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint8_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int16_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int16_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int16_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int16_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int32_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int32_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int16_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int16_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int32_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int32_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int64_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int64_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int16_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int16_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int32_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int32_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int64_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int64_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int8_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int8_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int16_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int16_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int32_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int32_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int64_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int64_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int8_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int8_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint16_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint16_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int16_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int16_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int32_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int32_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int64_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int64_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int8_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int8_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint16_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint16_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint32_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint32_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int16_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int16_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int32_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int32_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int64_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int64_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Int8_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_int8_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint16_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint16_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint32_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint32_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Uint64_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Bit_uint64_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Globals_simple" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Root_voidP" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Root_voidP_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Root_voidP_unsafe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Root_char_xP_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Root_char_xP_unsafe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Root_char_xP" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Struct_char_xP" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Axiomatic_Strlen" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Axiomatic_LF__Axiomatic__valid_str_len" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Axiomatic_LF__Axiomatic__valid_str_shift" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Logic_cmp" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Logic_strncmp" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Logic_strcmp_0" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint64_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Exceptions" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_strcmp_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint64_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_strcmp" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Logic_type_padding" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Struct_voidP" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Struct_charP" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Struct_charP_unsafe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Struct_charP_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Struct_char_xP_unsafe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Struct_char_xP_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Struct_voidP_unsafe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Struct_voidP_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint64_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint64_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint64_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint64_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint32_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint32_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint32_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint32_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint16_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint16_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint16_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint16_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int8_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int8_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int8_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int8_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int64_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int64_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int64_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int64_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int32_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int32_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int32_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int32_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int16_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int16_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int16_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int16_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint32_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint32_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint32_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint32_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint16_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint16_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint16_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint16_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int8_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int8_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int8_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int8_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int64_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int64_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int64_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int64_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int32_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int32_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int32_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int32_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int16_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int16_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int16_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int16_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint16_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint16_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint16_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint16_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int8_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int8_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int8_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int8_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int64_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int64_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int64_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int64_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int32_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int32_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int32_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int32_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int16_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int16_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int16_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int16_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int8_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int8_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int8_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int8_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int64_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int64_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int64_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int64_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int32_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int32_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int32_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int32_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int16_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int16_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int16_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int16_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int64_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int64_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int64_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int64_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int32_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int32_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int32_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int32_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int16_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int16_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int16_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int16_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int32_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int32_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int32_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int32_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int16_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int16_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int16_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int16_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int16_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int16_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int16_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int16_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint8_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint8_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint8_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint8_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint8_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint8_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint8_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint8_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint8_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint8_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint8_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint8_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint8_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint8_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint8_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint8_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint8_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint8_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint8_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint8_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint8_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint8_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint8_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint8_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint8_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint8_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint8_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint8_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint64_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint64_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint64_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint64_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint64_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint64_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint64_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint64_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint64_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint64_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint64_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint64_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint64_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint64_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint64_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint64_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint64_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint64_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint64_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint64_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint64_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint64_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint32_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint32_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint32_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint32_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint32_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint32_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint32_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint32_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint32_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint32_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint32_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint32_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint32_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint32_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint32_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint32_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint32_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint32_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint32_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint32_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint16_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint16_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint16_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint16_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint16_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint16_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint16_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint16_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint16_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint16_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint16_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint16_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_uint16_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_uint16_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_uint16_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_uint16_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int8_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int8_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int8_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int8_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int8_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int8_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int8_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int8_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int8_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int8_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int8_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int8_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int64_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int64_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int64_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int64_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int64_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int64_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int64_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int64_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_bit_int32_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_bit_int32_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Safe_int32_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Unsafe_int32_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_elim_valid_str" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_elim_valid_str_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_elim_valid_str_len" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_elim_valid_str_len_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_valid_str_len" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_valid_str_len_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_intro_valid_str_len" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_intro_valid_str_len_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_valid_str_shift" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_valid_str_shift_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_elim_strlen" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_elim_strlen_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_strlen_0" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_strlen_0_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_match_string" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_match_string_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+</file>
+</why3session>
diff --git a/src/match_string.c b/src/match_string.c
index beaf577..6e2bdc9 100644
--- a/src/match_string.c
+++ b/src/match_string.c
@@ -1,39 +1,23 @@
 #include "match_string.h"
 
-/*@ predicate null_terminator(char **array) =
-       \exists integer i;
-          0 <= i &&
-          array[i] == \null &&
-          (\forall integer j; 0 <= j < i ==> array[j] != \null);
-    logic integer null_at(char **array) =
-       *array == \null ? 1 : 1 + null_at(array + 1);
- */
 
-/*@ requires valid_str(string);
-    requires n <= INT_MAX;
-    requires (null_terminator(array) &&
-             null_at(array) <= n     &&
-             \valid_read(array + (0 .. null_at(array))) &&
-             (\forall integer i; 0 <= i < null_at(array) ==> valid_str(array[i])))
-             ||
-             (\valid_read(array + (0 .. n - 1)) &&
-             (\forall integer i; 0 <= i < n ==> valid_str(array[i])));
-    assigns \nothing;
- */
 int match_string(const char * const *array, size_t n, const char *string)
 {
 	int index;
 	const char *item;
 
-	/*@ loop invariant 0 <= index;
-	    loop invariant null_terminator(array) ==> index <= null_at(array);
-	    loop invariant !null_terminator(array) ==> index <= n;
-	    loop assigns index;
-	    loop variant n - index;
-	 */
+    /*@
+        loop invariant 0 <= index <= n;
+        loop invariant \forall integer k; 0 <= k < index ==>
+            strcmp(array[k], string) != 0;
+		loop invariant \forall integer k; 0 <= k < index ==>
+            array[k] != NULL;
+        loop assigns index;
+		loop assigns item;
+        loop variant n - index;
+    */
 	for (index = 0; index < n; index++) {
 		item = array[index];
-		//@ assert item == \null || valid_str(item);
 		if (!item)
 			break;
 		if (!strcmp(item, string))
@@ -41,26 +25,4 @@ int match_string(const char * const *array, size_t n, const char *string)
 	}
 
 	return -EINVAL;
-}
-
-
-#ifdef DUMMY_MAIN
-
-int main(int argc, char *argv[])
-{
-	const char *str = "12345";
-	const char *list[] = {
-		"TEST",
-		"TST",
-		"TS",
-		"T",
-		"12345",
-		NULL
-	};
-
-	match_string(list, -1, str);
-	match_string(list, 3, str);
-
-	return 0;
-}
-#endif
+}
\ No newline at end of file
diff --git a/src/match_string.h b/src/match_string.h
index e4de8f8..ecdf53b 100644
--- a/src/match_string.h
+++ b/src/match_string.h
@@ -1,10 +1,8 @@
 #ifndef __MATCH_STRING_H__
 #define __MATCH_STRING_H__
 
-#include "kernel_definitions.h"
 #include "strcmp.h"
 
-
 /**
  * match_string - matches given string in an array
  * @array:	array of strings
@@ -15,6 +13,38 @@
  * index of a @string in the @array if matches, or %-EINVAL otherwise.
  */
 
+/*@
+    logic integer cmp(unsigned char a, unsigned char b) =
+       a == b ? 0 : a < b ? -1 : 1;
+
+    logic integer strncmp(char *cs, char *ct, integer n) =
+       n == -1 ? 0 : (cs[n] == ct[n] ? strncmp(cs+1, ct+1, n-1) : cmp((u8 AENO)cs[n], (u8 AENO)ct[n]));
+    logic integer strcmp(char *cs, char *ct) = strncmp(cs, ct, strlen(cs));
+*/
+
+/*@
+    requires \valid_read(array + (0..n-1));
+    requires valid_str(string);
+    requires n <= INT_MAX;
+    requires \forall integer i; 0 <= i < n && valid_str(array[i]);
+
+    assigns   \nothing;
+
+    behavior exists:
+        assumes  \exists integer i; 0 <= i < n && strcmp(array[i], string) == 0;
+        ensures  0 <= \result < n;
+        ensures  strcmp(array[\result], string) == 0;
+        ensures  \forall integer i; 0 <= i < \result ==>
+            strcmp(array[\result], string) != 0;
+
+    behavior missing:
+        assumes  \forall integer i; 0 <= i < n ==>
+            strcmp(array[i], string) != 0;
+        ensures  \result == -EINVAL;
+
+    complete behaviors;
+    disjoint behaviors;
+*/
 int match_string(const char * const *array, size_t n, const char *string);
 
-#endif // __MATCH_STRING_H__
\ No newline at end of file
+#endif // __MATCH_STRING_H__

From 56546dad8b9164516ce0f433037f22570ea87eaa Mon Sep 17 00:00:00 2001
From: Igor Tarakanov <igortarakanov@mail.ru>
Date: Fri, 5 Jul 2019 18:13:45 +0300
Subject: [PATCH 02/14] [fix] requirements for NULL terminated arrays, logic
 functions from strcmp.h

---
 README.md                                     |  2 +-
 .../whole_program/why3session.xml             | 15 ++++----
 src/match_string.c                            | 23 +++++++++++-
 src/match_string.h                            | 36 +++++++++++++------
 src/strcmp.h                                  |  3 +-
 5 files changed, 57 insertions(+), 22 deletions(-)

diff --git a/README.md b/README.md
index b8b2105..c585b96 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ The repository contains ACSL specifications for the Linux kernel functions. The
 | ID | Function      | Status | Logic function | libfuzzer | Comment |
 |----|---------------|--------|----------------|-----------|---------|
 | 1  | check\_bytes8 | proved | proved         | yes       |         |
-| 2  | match\_string |        | not required   |           |         |
+| 2  | match\_string | proved | not required   |           |         |
 | 3  | memchr        | proved |                | yes       |         |
 | 4  | memcmp        | proved |                | yes       |         |
 | 5  | memscan       | proved | not required   | yes       |         |
diff --git a/sessions/match_string.c.av/whole_program/why3session.xml b/sessions/match_string.c.av/whole_program/why3session.xml
index 9ed1dba..2411659 100644
--- a/sessions/match_string.c.av/whole_program/why3session.xml
+++ b/sessions/match_string.c.av/whole_program/why3session.xml
@@ -2,23 +2,22 @@
 <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
 "http://why3.lri.fr/why3session.dtd">
 <why3session shape_version="4">
-<prover id="0" name="Alt-Ergo" version="2.3.0" timelimit="15" steplimit="0" memlimit="1000"/>
-<prover id="1" name="CVC4" version="1.6" timelimit="15" steplimit="0" memlimit="1000"/>
+<prover id="0" name="CVC4" version="1.6" timelimit="20" steplimit="0" memlimit="4000"/>
 <file name="../match_string_c.mlw" expanded="true">
-<theory name="Function_match_string_safety" sum="9368a70fa9c61042bc2cd8f9261dc25c" expanded="true">
+<theory name="Function_match_string_safety" sum="9a29e89324408cb52ce239b0a70eaa81" expanded="true">
  <goal name="WP_parameter match_string" expl="Function match_string, safety" expanded="true">
- <proof prover="1"><result status="valid" time="0.23" steps="37502"/></proof>
+ <proof prover="0"><result status="valid" time="0.19" steps="37816"/></proof>
  </goal>
 </theory>
-<theory name="Function_match_string_behaviors" sum="389111eebf2aa2f8f8116ae8ac28fd5a" expanded="true">
+<theory name="Function_match_string_behaviors" sum="4acb660db3fc2e5c62db378d091100ff" expanded="true">
  <goal name="WP_parameter match_string_ensures_default" expl="Function match_string, default behavior" expanded="true">
- <proof prover="1"><result status="valid" time="0.15" steps="38611"/></proof>
+ <proof prover="0"><result status="valid" time="0.21" steps="38925"/></proof>
  </goal>
  <goal name="WP_parameter match_string_ensures_exists" expl="Function match_string, behavior exists" expanded="true">
- <proof prover="1"><result status="valid" time="0.16" steps="38587"/></proof>
+ <proof prover="0"><result status="valid" time="0.17" steps="38901"/></proof>
  </goal>
  <goal name="WP_parameter match_string_ensures_missing" expl="Function match_string, behavior missing" expanded="true">
- <proof prover="0"><result status="valid" time="4.12" steps="6811"/></proof>
+ <proof prover="0"><result status="valid" time="0.15" steps="36927"/></proof>
  </goal>
 </theory>
 <theory name="Axiomatic_Padding" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
diff --git a/src/match_string.c b/src/match_string.c
index 6e2bdc9..4ca0a52 100644
--- a/src/match_string.c
+++ b/src/match_string.c
@@ -25,4 +25,25 @@ int match_string(const char * const *array, size_t n, const char *string)
 	}
 
 	return -EINVAL;
-}
\ No newline at end of file
+}
+
+#ifdef DUMMY_MAIN	
+
+ int main(int argc, char *argv[])	
+{	
+	const char *str = "12345";	
+	const char *list[] = {	
+		"TEST",	
+		"TST",	
+		"TS",	
+		"T",	
+		"12345",	
+		NULL	
+	};	
+
+ 	match_string(list, -1, str);	
+	match_string(list, 3, str);	
+
+ 	return 0;	
+}	
+#endif
\ No newline at end of file
diff --git a/src/match_string.h b/src/match_string.h
index ecdf53b..cceccfb 100644
--- a/src/match_string.h
+++ b/src/match_string.h
@@ -1,6 +1,7 @@
 #ifndef __MATCH_STRING_H__
 #define __MATCH_STRING_H__
 
+#include "kernel_definitions.h"
 #include "strcmp.h"
 
 /**
@@ -13,25 +14,38 @@
  * index of a @string in the @array if matches, or %-EINVAL otherwise.
  */
 
-/*@
-    logic integer cmp(unsigned char a, unsigned char b) =
-       a == b ? 0 : a < b ? -1 : 1;
-
-    logic integer strncmp(char *cs, char *ct, integer n) =
-       n == -1 ? 0 : (cs[n] == ct[n] ? strncmp(cs+1, ct+1, n-1) : cmp((u8 AENO)cs[n], (u8 AENO)ct[n]));
-    logic integer strcmp(char *cs, char *ct) = strncmp(cs, ct, strlen(cs));
-*/
-
 /*@
     requires \valid_read(array + (0..n-1));
     requires valid_str(string);
     requires n <= INT_MAX;
-    requires \forall integer i; 0 <= i < n && valid_str(array[i]);
+    requires
+        (
+            n == -1 && (
+                \exists integer end;
+                    array[end] == NULL &&
+                    (
+                        \forall integer k;
+                            0 < k < end && array[k] != NULL
+                    ) &&
+                    (
+                        \forall integer k;
+                            0 < k < end && valid_str(array[k])
+                    )
+            )
+                
+        ) ||
+        (
+            n >= 0 && (
+                \forall integer i;
+                    0 <= i < n && valid_str(array[i])
+            )
+        );
 
     assigns   \nothing;
 
     behavior exists:
-        assumes  \exists integer i; 0 <= i < n && strcmp(array[i], string) == 0;
+        assumes  \exists integer i;
+            0 <= i < n && strcmp(array[i], string) == 0;
         ensures  0 <= \result < n;
         ensures  strcmp(array[\result], string) == 0;
         ensures  \forall integer i; 0 <= i < \result ==>
diff --git a/src/strcmp.h b/src/strcmp.h
index 2337d8d..ac7141b 100644
--- a/src/strcmp.h
+++ b/src/strcmp.h
@@ -3,7 +3,8 @@
 
 #include "strlen.h"
 
-/* axiomatic StrCmp {
+
+/*@ axiomatic StrCmp {
     logic integer cmp(unsigned char a, unsigned char b) =
        a == b ? 0 : a < b ? -1 : 1;
 

From ca8d329b686039d9f77d8a19839fd8ba01c48549 Mon Sep 17 00:00:00 2001
From: Igor Tarakanov <igortarakanov@mail.ru>
Date: Fri, 5 Jul 2019 18:18:34 +0300
Subject: [PATCH 03/14] [fix] correct -1 casting

---
 .../whole_program/why3session.xml             | 42 +++++++++++--------
 src/match_string.h                            |  2 +-
 2 files changed, 26 insertions(+), 18 deletions(-)

diff --git a/sessions/match_string.c.av/whole_program/why3session.xml b/sessions/match_string.c.av/whole_program/why3session.xml
index 2411659..0533341 100644
--- a/sessions/match_string.c.av/whole_program/why3session.xml
+++ b/sessions/match_string.c.av/whole_program/why3session.xml
@@ -4,20 +4,20 @@
 <why3session shape_version="4">
 <prover id="0" name="CVC4" version="1.6" timelimit="20" steplimit="0" memlimit="4000"/>
 <file name="../match_string_c.mlw" expanded="true">
-<theory name="Function_match_string_safety" sum="9a29e89324408cb52ce239b0a70eaa81" expanded="true">
+<theory name="Function_match_string_safety" sum="371a6c8b2373609fa5ceb675be765237" expanded="true">
  <goal name="WP_parameter match_string" expl="Function match_string, safety" expanded="true">
- <proof prover="0"><result status="valid" time="0.19" steps="37816"/></proof>
+ <proof prover="0"><result status="valid" time="0.17" steps="43261"/></proof>
  </goal>
 </theory>
-<theory name="Function_match_string_behaviors" sum="4acb660db3fc2e5c62db378d091100ff" expanded="true">
+<theory name="Function_match_string_behaviors" sum="5b84dda6ed3b19aec562e919287068e5" expanded="true">
  <goal name="WP_parameter match_string_ensures_default" expl="Function match_string, default behavior" expanded="true">
- <proof prover="0"><result status="valid" time="0.21" steps="38925"/></proof>
+ <proof prover="0"><result status="valid" time="0.20" steps="44459"/></proof>
  </goal>
  <goal name="WP_parameter match_string_ensures_exists" expl="Function match_string, behavior exists" expanded="true">
- <proof prover="0"><result status="valid" time="0.17" steps="38901"/></proof>
+ <proof prover="0"><result status="valid" time="0.21" steps="44887"/></proof>
  </goal>
  <goal name="WP_parameter match_string_ensures_missing" expl="Function match_string, behavior missing" expanded="true">
- <proof prover="0"><result status="valid" time="0.15" steps="36927"/></proof>
+ <proof prover="0"><result status="valid" time="0.18" steps="43283"/></proof>
  </goal>
 </theory>
 <theory name="Axiomatic_Padding" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
@@ -332,21 +332,29 @@
 </theory>
 <theory name="Axiomatic_LF__Axiomatic__valid_str_shift" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Logic_cmp" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
-</theory>
-<theory name="Logic_strncmp" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
-</theory>
-<theory name="Logic_strcmp_0" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+<theory name="Axiomatic_StrCmp" sum="31d2bae0e747e626a0077db141676c67" expanded="true">
+ <goal name="Range" expl="Lemma range" expanded="true">
+ </goal>
+ <goal name="Defn_equal" expl="Lemma defn_equal" expanded="true">
+ </goal>
+ <goal name="Defn_less" expl="Lemma defn_less" expanded="true">
+ </goal>
+ <goal name="Defn_greater" expl="Lemma defn_greater" expanded="true">
+ </goal>
+ <goal name="Iter_one" expl="Lemma iter_one" expanded="true">
+ </goal>
+ <goal name="At_end" expl="Lemma at_end" expanded="true">
+ </goal>
 </theory>
-<theory name="Safe_uint64_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+<theory name="Safe_bit_uint64_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
 <theory name="Exceptions" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_strcmp_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+<theory name="Function_strcmp_0_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint64_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+<theory name="Unsafe_bit_uint64_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_strcmp" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+<theory name="Function_strcmp_0" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
 <theory name="Logic_type_padding" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
@@ -678,9 +686,9 @@
 </theory>
 <theory name="Unsafe_uint64_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint64_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+<theory name="Safe_uint64_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint64_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+<theory name="Unsafe_uint64_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
 <theory name="Safe_bit_uint64_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
diff --git a/src/match_string.h b/src/match_string.h
index cceccfb..f8608a5 100644
--- a/src/match_string.h
+++ b/src/match_string.h
@@ -20,7 +20,7 @@
     requires n <= INT_MAX;
     requires
         (
-            n == -1 && (
+            n == (size_t AENO)(-1) && (
                 \exists integer end;
                     array[end] == NULL &&
                     (

From ab9fcfd2b4bf98a8b226b3d4c29b10500c56417a Mon Sep 17 00:00:00 2001
From: Igor Tarakanov <igortarakanov@mail.ru>
Date: Fri, 5 Jul 2019 21:41:45 +0300
Subject: [PATCH 04/14] [wip]

---
 src/match_string.c |  2 ++
 src/match_string.h | 62 ++++++++++++++++++++++------------------------
 2 files changed, 32 insertions(+), 32 deletions(-)

diff --git a/src/match_string.c b/src/match_string.c
index 4ca0a52..a0c6f97 100644
--- a/src/match_string.c
+++ b/src/match_string.c
@@ -6,6 +6,8 @@ int match_string(const char * const *array, size_t n, const char *string)
 	int index;
 	const char *item;
 
+	/*@ assert 0 == 1; */
+
     /*@
         loop invariant 0 <= index <= n;
         loop invariant \forall integer k; 0 <= k < index ==>
diff --git a/src/match_string.h b/src/match_string.h
index f8608a5..011cad3 100644
--- a/src/match_string.h
+++ b/src/match_string.h
@@ -15,46 +15,44 @@
  */
 
 /*@
-    requires \valid_read(array + (0..n-1));
-    requires valid_str(string);
-    requires n <= INT_MAX;
-    requires
-        (
-            n == (size_t AENO)(-1) && (
-                \exists integer end;
-                    array[end] == NULL &&
-                    (
-                        \forall integer k;
-                            0 < k < end && array[k] != NULL
-                    ) &&
-                    (
-                        \forall integer k;
-                            0 < k < end && valid_str(array[k])
-                    )
-            )
-                
-        ) ||
-        (
-            n >= 0 && (
-                \forall integer i;
-                    0 <= i < n && valid_str(array[i])
-            )
+    logic size_t _real_len(char **array, size_t n) =
+        array[0] == NULL
+        ? (size_t) 0
+        : (
+            n > 0
+            ? (size_t) (1 + _real_len(array + 1, (size_t)(n - 1)))
+            : 0
         );
+*/
 
-    assigns   \nothing;
+/*@
+    requires _real_len(array, n) <= SIZE_MAX;
+    requires \valid_read(array + (0.._real_len(array, n)-1));
+    requires valid_str(string);
+
+    requires \forall integer i;
+        0 <= i < _real_len(array, n) &&
+        valid_str(array[i]);
+
+    assigns \nothing;
 
     behavior exists:
-        assumes  \exists integer i;
-            0 <= i < n && strcmp(array[i], string) == 0;
-        ensures  0 <= \result < n;
-        ensures  strcmp(array[\result], string) == 0;
-        ensures  \forall integer i; 0 <= i < \result ==>
+        assumes \exists integer i;
+            0 <= i < _real_len(array, n) &&
+            strcmp(array[i], string) == 0;
+
+        ensures 0 <= \result < _real_len(array, n);
+        ensures strcmp(array[\result], string) == 0;
+        ensures \forall integer k;
+            0 <= k < \result &&
             strcmp(array[\result], string) != 0;
 
     behavior missing:
-        assumes  \forall integer i; 0 <= i < n ==>
+        assumes \forall integer i;
+            0 <= i < _real_len(array, n) &&
             strcmp(array[i], string) != 0;
-        ensures  \result == -EINVAL;
+
+        ensures \result == -EINVAL;
 
     complete behaviors;
     disjoint behaviors;

From baa74c107106556708dd2ee97c235bac1c969082 Mon Sep 17 00:00:00 2001
From: Igor Tarakanov <igortarakanov@mail.ru>
Date: Mon, 8 Jul 2019 14:10:07 +0300
Subject: [PATCH 05/14] [wip]

---
 src/match_string.c |  19 ++++---
 src/match_string.h | 125 +++++++++++++++++++++++++++++++++++++--------
 2 files changed, 115 insertions(+), 29 deletions(-)

diff --git a/src/match_string.c b/src/match_string.c
index a0c6f97..3dc8299 100644
--- a/src/match_string.c
+++ b/src/match_string.c
@@ -6,26 +6,31 @@ int match_string(const char * const *array, size_t n, const char *string)
 	int index;
 	const char *item;
 
-	/*@ assert 0 == 1; */
 
     /*@
-        loop invariant 0 <= index <= n;
-        loop invariant \forall integer k; 0 <= k < index ==>
-            strcmp(array[k], string) != 0;
-		loop invariant \forall integer k; 0 <= k < index ==>
-            array[k] != NULL;
+        loop invariant 0 <= index < real_len(array, n);
+        loop invariant \forall integer k; 0 <= k < index ==> (
+            array[k] != NULL &&
+            strcmp(array[k], string) != 0
+		);
         loop assigns index;
 		loop assigns item;
-        loop variant n - index;
+        loop variant real_len(array, n) - index;
     */
+
 	for (index = 0; index < n; index++) {
 		item = array[index];
 		if (!item)
 			break;
+		//@ assert array[index] != NULL;
 		if (!strcmp(item, string))
 			return index;
+		//@ assert strcmp(array[index], string) != 0;
+		//@ assert checked_head(array, string, index);
 	}
 
+	//@ assert checked_head(array, string, n);
+
 	return -EINVAL;
 }
 
diff --git a/src/match_string.h b/src/match_string.h
index 011cad3..57e12ef 100644
--- a/src/match_string.h
+++ b/src/match_string.h
@@ -14,49 +14,130 @@
  * index of a @string in the @array if matches, or %-EINVAL otherwise.
  */
 
+
 /*@
-    logic size_t _real_len(char **array, size_t n) =
-        array[0] == NULL
-        ? (size_t) 0
-        : (
-            n > 0
-            ? (size_t) (1 + _real_len(array + 1, (size_t)(n - 1)))
-            : 0
-        );
+    axiomatic MatchString {
+        logic integer real_len(char **array, integer n) =
+            ((n <= 0) || (array[0] == NULL))
+            ? 0
+            : 1 + real_len(array + 1, n - 1);
+
+        predicate checked_head(char** array, char* string, integer tail) =
+            \forall integer k;
+                (0 <= k < tail) ==> (
+                    array[k] != NULL &&
+                    strcmp(array[k], string) != 0
+                );
+
+        lemma zero_len_a:
+            \forall char** array;
+                \valid_read(array) ==>
+                    real_len(array, 0) == 0;
+        
+        lemma zero_len_b:
+            \forall char** array, integer n;
+                (
+                    \valid_read(array) &&
+                    array[0] == NULL &&
+                    n > 0
+                ) ==>
+                    real_len(array, n) == 0;
+        
+        lemma one_element:
+            \forall char** array;
+                (
+                    \valid_read(array) &&
+                    array[0] != NULL
+                ) ==>
+                    real_len(array, 1) == 1;
+        
+        lemma basic:
+            \forall char** array, integer n;
+                (
+                    n > 0 &&
+                    \valid_read(array+(0..n)) &&
+                    array[0] != NULL
+                ) ==>
+                    (real_len(array, n) ==
+                        1 + real_len(array + 1, n - 1));
+        
+        lemma one_element_or_more:
+            \forall char** array, integer n;
+                (
+                    n > 0 &&
+                    \valid_read(array + (0..n)) &&
+                    array[0] != NULL
+                ) ==>
+                    real_len(array, n + 1) > 0;
+
+        lemma not_null_terminated:
+            \forall char** array, integer n;
+                (
+                    \valid_read(array+(0..n)) &&
+                    (\forall integer k; k <= n ==> array[k] != NULL)
+                ) ==>
+                    real_len(array, n + 1) == n + 1;
+
+        lemma lower_bound:
+            \forall char** array, integer n, char* string;
+                (
+                    valid_str(string) &&
+                    n > 0 &&
+                    \valid_read(array+(0..n))
+                ) ==> (
+                    \forall integer k;
+                        0 <= k <= n &&
+                        checked_head(array, string, k) ==>
+                            real_len(array, n + 1) >= k
+                );
+
+        lemma upper_bound:
+            \forall char** array, integer n;
+                (
+                    n >= 0 &&
+                    \valid_read(array + (0..n))
+                ) ==>
+                    (0 <= real_len(array, n + 1) <= n + 1);
+        
+    }
 */
 
 /*@
-    requires _real_len(array, n) <= SIZE_MAX;
-    requires \valid_read(array + (0.._real_len(array, n)-1));
+    requires real_len(array, n) <= SIZE_MAX;
+    requires \valid_read(array + (0..real_len(array, n)-1));
     requires valid_str(string);
 
-    requires \forall integer i;
-        0 <= i < _real_len(array, n) &&
-        valid_str(array[i]);
+    requires \forall integer k;
+        (0 <= k < real_len(array, n)) ==>
+        valid_str(array[k]);
 
     assigns \nothing;
 
     behavior exists:
-        assumes \exists integer i;
-            0 <= i < _real_len(array, n) &&
-            strcmp(array[i], string) == 0;
+        assumes \exists integer k;
+            (0 <= k < real_len(array, n)) ==>
+            strcmp(array[k], string) == 0;
 
-        ensures 0 <= \result < _real_len(array, n);
+        ensures 0 <= \result < real_len(array, n);
         ensures strcmp(array[\result], string) == 0;
         ensures \forall integer k;
-            0 <= k < \result &&
-            strcmp(array[\result], string) != 0;
+            (0 <= k < \result) ==>
+                (
+                    array[k] != NULL &&
+                    strcmp(array[\result], string) != 0
+                );
 
     behavior missing:
-        assumes \forall integer i;
-            0 <= i < _real_len(array, n) &&
-            strcmp(array[i], string) != 0;
+        assumes \forall integer k;
+            (0 <= k < real_len(array, n)) ==>
+                strcmp(array[k], string) != 0;
 
         ensures \result == -EINVAL;
 
     complete behaviors;
     disjoint behaviors;
 */
+
 int match_string(const char * const *array, size_t n, const char *string);
 
 #endif // __MATCH_STRING_H__

From 8dbb5dd7f4bc3ce8b9435cab3b7b471923e37dc7 Mon Sep 17 00:00:00 2001
From: Igor Tarakanov <igortarakanov@mail.ru>
Date: Tue, 23 Jul 2019 20:07:19 +0300
Subject: [PATCH 06/14] [+] match_string for null-terminated arrays proved

---
 .../whole_program/why3session.xml             |  71 +++++-
 src/match_string.c                            |  55 +++--
 src/match_string.h                            | 217 ++++++++----------
 src/strcmp.h                                  |   5 +-
 4 files changed, 195 insertions(+), 153 deletions(-)
 rename sessions/{match_string.c.av => match_string.av}/whole_program/why3session.xml (93%)

diff --git a/sessions/match_string.c.av/whole_program/why3session.xml b/sessions/match_string.av/whole_program/why3session.xml
similarity index 93%
rename from sessions/match_string.c.av/whole_program/why3session.xml
rename to sessions/match_string.av/whole_program/why3session.xml
index 0533341..07e6212 100644
--- a/sessions/match_string.c.av/whole_program/why3session.xml
+++ b/sessions/match_string.av/whole_program/why3session.xml
@@ -2,22 +2,57 @@
 <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
 "http://why3.lri.fr/why3session.dtd">
 <why3session shape_version="4">
-<prover id="0" name="CVC4" version="1.6" timelimit="20" steplimit="0" memlimit="4000"/>
+<prover id="0" name="Alt-Ergo" version="2.3.0" timelimit="15" steplimit="0" memlimit="4000"/>
+<prover id="1" name="CVC4" version="1.6" timelimit="15" steplimit="0" memlimit="4000"/>
 <file name="../match_string_c.mlw" expanded="true">
-<theory name="Function_match_string_safety" sum="371a6c8b2373609fa5ceb675be765237" expanded="true">
+<theory name="Function_match_string_safety" sum="b86f74d4c70a0ec59734d9cfb326ad6a" expanded="true">
  <goal name="WP_parameter match_string" expl="Function match_string, safety" expanded="true">
- <proof prover="0"><result status="valid" time="0.17" steps="43261"/></proof>
+ <proof prover="1"><result status="valid" time="0.71" steps="84698"/></proof>
  </goal>
 </theory>
-<theory name="Function_match_string_behaviors" sum="5b84dda6ed3b19aec562e919287068e5" expanded="true">
+<theory name="Function_match_string_behaviors" sum="e9a8487a5845a16116ef184ad0f7ef9e" expanded="true">
  <goal name="WP_parameter match_string_ensures_default" expl="Function match_string, default behavior" expanded="true">
- <proof prover="0"><result status="valid" time="0.20" steps="44459"/></proof>
+ <transf name="split_goal_wp" expanded="true">
+  <goal name="WP_parameter match_string_ensures_default.1" expl="Behavior disjointness check">
+  <proof prover="1"><result status="valid" time="0.37" steps="40246"/></proof>
+  </goal>
+  <goal name="WP_parameter match_string_ensures_default.2" expl="Behavior completeness check">
+  <proof prover="1"><result status="valid" time="0.35" steps="40250"/></proof>
+  </goal>
+  <goal name="WP_parameter match_string_ensures_default.3" expl="loop invariant init">
+  <proof prover="1"><result status="valid" time="1.16" steps="116128"/></proof>
+  </goal>
+  <goal name="WP_parameter match_string_ensures_default.4" expl="Assertion in line 53">
+  <proof prover="1"><result status="valid" time="0.62" steps="53702"/></proof>
+  </goal>
+  <goal name="WP_parameter match_string_ensures_default.5" expl="Assertion in line 31">
+  <proof prover="1"><result status="valid" time="0.89" steps="69214"/></proof>
+  </goal>
+  <goal name="WP_parameter match_string_ensures_default.6" expl="Assertion in line 42">
+  <proof prover="1"><result status="valid" time="0.62" steps="59006"/></proof>
+  </goal>
+  <goal name="WP_parameter match_string_ensures_default.7" expl="Assertion in line 48">
+  <proof prover="1"><result status="valid" time="0.52" steps="46943"/></proof>
+  </goal>
+  <goal name="WP_parameter match_string_ensures_default.8" expl="loop invariant preservation">
+  <proof prover="1"><result status="valid" time="0.73" steps="67603"/></proof>
+  </goal>
+  <goal name="WP_parameter match_string_ensures_default.9" expl="Assertion in line 33">
+  <proof prover="0"><result status="valid" time="0.89" steps="3052"/></proof>
+  </goal>
+  <goal name="WP_parameter match_string_ensures_default.10" expl="Assertion in line 35">
+  <proof prover="1"><result status="valid" time="0.55" steps="55666"/></proof>
+  </goal>
+  <goal name="WP_parameter match_string_ensures_default.11" expl="Assertion in line 53">
+  <proof prover="1"><result status="valid" time="0.31" steps="43642"/></proof>
+  </goal>
+ </transf>
  </goal>
  <goal name="WP_parameter match_string_ensures_exists" expl="Function match_string, behavior exists" expanded="true">
- <proof prover="0"><result status="valid" time="0.21" steps="44887"/></proof>
+ <proof prover="1"><result status="valid" time="5.37" steps="475910"/></proof>
  </goal>
  <goal name="WP_parameter match_string_ensures_missing" expl="Function match_string, behavior missing" expanded="true">
- <proof prover="0"><result status="valid" time="0.18" steps="43283"/></proof>
+ <proof prover="0"><result status="valid" time="0.30" steps="1206"/></proof>
  </goal>
 </theory>
 <theory name="Axiomatic_Padding" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
@@ -332,7 +367,7 @@
 </theory>
 <theory name="Axiomatic_LF__Axiomatic__valid_str_shift" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Axiomatic_StrCmp" sum="31d2bae0e747e626a0077db141676c67" expanded="true">
+<theory name="Axiomatic_StrCmp" sum="cee16887b1887da38f5c627e43221b7c" expanded="true">
  <goal name="Range" expl="Lemma range" expanded="true">
  </goal>
  <goal name="Defn_equal" expl="Lemma defn_equal" expanded="true">
@@ -346,13 +381,25 @@
  <goal name="At_end" expl="Lemma at_end" expanded="true">
  </goal>
 </theory>
-<theory name="Safe_bit_uint64_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+<theory name="Axiomatic_MatchString" sum="d8754ca9cc049dbbfef27b01ad97e44c" expanded="true">
+ <goal name="Real_len_not_nulls" expl="Lemma real_len_not_nulls" expanded="true">
+ </goal>
+ <goal name="Real_len_terminate" expl="Lemma real_len_terminate" expanded="true">
+ </goal>
+ <goal name="Real_len_maximum" expl="Lemma real_len_maximum" expanded="true">
+ </goal>
+ <goal name="Match_string_definition" expl="Lemma match_string_definition" expanded="true">
+ </goal>
+ <goal name="Strcmp_corollary" expl="Lemma strcmp_corollary" expanded="true">
+ </goal>
+</theory>
+<theory name="Safe_uint64_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
 <theory name="Exceptions" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
 <theory name="Function_strcmp_0_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint64_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+<theory name="Unsafe_uint64_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
 <theory name="Function_strcmp_0" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
@@ -686,9 +733,9 @@
 </theory>
 <theory name="Unsafe_uint64_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint64_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+<theory name="Safe_bit_uint64_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint64_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+<theory name="Unsafe_bit_uint64_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
 <theory name="Safe_bit_uint64_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
diff --git a/src/match_string.c b/src/match_string.c
index 3dc8299..10d77ad 100644
--- a/src/match_string.c
+++ b/src/match_string.c
@@ -5,31 +5,54 @@ int match_string(const char * const *array, size_t n, const char *string)
 {
 	int index;
 	const char *item;
-
-
-    /*@
-        loop invariant 0 <= index < real_len(array, n);
-        loop invariant \forall integer k; 0 <= k < index ==> (
-            array[k] != NULL &&
-            strcmp(array[k], string) != 0
-		);
-        loop assigns index;
+	
+  /*@
+		loop invariant 0 <= index <= real_len(array, n) <= n;
+		loop invariant
+			\forall size_t k;
+				0 <= k < index ==>
+					strcmp(array[k], string) != 0;
+		loop invariant
+			\forall size_t k;
+				0 <= k < index ==>
+					array[k] != NULL;
+		loop invariant
+			\forall size_t k;
+					0 <= k < index ==>
+						valid_str(array[k]);
+		loop assigns index;
 		loop assigns item;
-        loop variant real_len(array, n) - index;
-    */
-
+		loop variant real_len(array, n) - index;
+  */
 	for (index = 0; index < n; index++) {
 		item = array[index];
 		if (!item)
 			break;
-		//@ assert array[index] != NULL;
+		//@ assert valid_str(array[index]);
 		if (!strcmp(item, string))
+			//@ assert strlen(item) == strlen(string);
+			/*@
+				assert \forall size_t i;
+					0 < i <= strlen(item) ==> item[i] == string[i];
+			 */
 			return index;
-		//@ assert strcmp(array[index], string) != 0;
-		//@ assert checked_head(array, string, index);
+
+		/*@
+			assert
+				\exists size_t i;
+					(
+						0 <= i <= \min(strlen(item), strlen(string)) &&
+						item[i] != string[i]
+					);
+		*/
+		/*@ assert \forall size_t i;
+			0 <= i <= index ==> strcmp(array[i], string) != 0;
+		*/
 	}
 
-	//@ assert checked_head(array, string, n);
+	/*@ assert \forall size_t i;
+		0 <= i < real_len(array, n) ==> strcmp(array[i], string) != 0;
+	*/
 
 	return -EINVAL;
 }
diff --git a/src/match_string.h b/src/match_string.h
index 57e12ef..72e3ad2 100644
--- a/src/match_string.h
+++ b/src/match_string.h
@@ -5,7 +5,7 @@
 #include "strcmp.h"
 
 /**
- * match_string - matches given string in an array
+ * match_stringn - matches given string in an array
  * @array:	array of strings
  * @n:		number of strings in the array or -1 for NULL terminated arrays
  * @string:	string to match with
@@ -14,130 +14,103 @@
  * index of a @string in the @array if matches, or %-EINVAL otherwise.
  */
 
+/*
+ * In fact this function searches in a subarray ending NULL
+ * If n > INT_MAX and in array[0..INT_MAX] there are not NULL int index will
+ * be overflowed
+ */
 
-/*@
-    axiomatic MatchString {
-        logic integer real_len(char **array, integer n) =
-            ((n <= 0) || (array[0] == NULL))
-            ? 0
-            : 1 + real_len(array + 1, n - 1);
-
-        predicate checked_head(char** array, char* string, integer tail) =
-            \forall integer k;
-                (0 <= k < tail) ==> (
-                    array[k] != NULL &&
-                    strcmp(array[k], string) != 0
-                );
-
-        lemma zero_len_a:
-            \forall char** array;
-                \valid_read(array) ==>
-                    real_len(array, 0) == 0;
-        
-        lemma zero_len_b:
-            \forall char** array, integer n;
-                (
-                    \valid_read(array) &&
-                    array[0] == NULL &&
-                    n > 0
-                ) ==>
-                    real_len(array, n) == 0;
-        
-        lemma one_element:
-            \forall char** array;
-                (
-                    \valid_read(array) &&
-                    array[0] != NULL
-                ) ==>
-                    real_len(array, 1) == 1;
-        
-        lemma basic:
-            \forall char** array, integer n;
-                (
-                    n > 0 &&
-                    \valid_read(array+(0..n)) &&
-                    array[0] != NULL
-                ) ==>
-                    (real_len(array, n) ==
-                        1 + real_len(array + 1, n - 1));
-        
-        lemma one_element_or_more:
-            \forall char** array, integer n;
-                (
-                    n > 0 &&
-                    \valid_read(array + (0..n)) &&
-                    array[0] != NULL
-                ) ==>
-                    real_len(array, n + 1) > 0;
-
-        lemma not_null_terminated:
-            \forall char** array, integer n;
-                (
-                    \valid_read(array+(0..n)) &&
-                    (\forall integer k; k <= n ==> array[k] != NULL)
-                ) ==>
-                    real_len(array, n + 1) == n + 1;
-
-        lemma lower_bound:
-            \forall char** array, integer n, char* string;
-                (
-                    valid_str(string) &&
-                    n > 0 &&
-                    \valid_read(array+(0..n))
-                ) ==> (
-                    \forall integer k;
-                        0 <= k <= n &&
-                        checked_head(array, string, k) ==>
-                            real_len(array, n + 1) >= k
-                );
-
-        lemma upper_bound:
-            \forall char** array, integer n;
-                (
-                    n >= 0 &&
-                    \valid_read(array + (0..n))
-                ) ==>
-                    (0 <= real_len(array, n + 1) <= n + 1);
-        
-    }
-*/
+
+/*@ axiomatic MatchString {
+
+  logic size_t match_stringn(char** array, size_t n, char* string) =
+    n == 0
+      ? 0
+      : (
+        strcmp(array[0], string) == 0
+          ? 0
+          : match_stringn(array + 1, (size_t)(n - 1), string)
+      );
+
+  logic size_t real_len(char** array, size_t n) =
+    ((array[0] == NULL) || (n == 0))
+      ? 0
+      : (size_t)((size_t)1 + real_len(array + 1, (size_t)(n - 1)));
+
+  lemma real_len_not_nulls:
+    \forall char** array, size_t i, len;
+      0 <= i < real_len(array, len) ==> array[i] != NULL;
+
+  lemma real_len_terminate:
+     \forall char** array, size_t i, len;
+      i == real_len(array, len) ==>
+        array[i] == NULL || i == len;
+
+  lemma real_len_maximum:
+    \forall char** array, size_t len;
+      (\forall size_t i; i < len ==> array[i] != NULL) ==>
+        real_len(array, len) == len;
+
+  lemma match_string_definition:
+    \forall char** array, char* string, size_t i, len;
+      (
+        0 <= i < real_len(array, len) &&
+        (
+          \forall size_t j;
+            0 <= j < i ==> strcmp(array[j], string) != 0
+        ) &&
+        strcmp(array[i], string) == 0
+      ) ==>
+      match_stringn(array, real_len(array, len), string) == i;
+
+  lemma strcmp_corollary:
+    \forall char* string1, char* string2;
+      (
+        valid_str(string1) &&
+        valid_str(string2) &&
+        strcmp(string1, string2) != 0
+      ) ==> (
+          \exists size_t i;
+            0 <= i <= \min(strlen(string1), strlen(string2)) &&
+              string1[i] != string2[i]
+      );
+}
+ */
 
 /*@
-    requires real_len(array, n) <= SIZE_MAX;
-    requires \valid_read(array + (0..real_len(array, n)-1));
-    requires valid_str(string);
-
-    requires \forall integer k;
-        (0 <= k < real_len(array, n)) ==>
-        valid_str(array[k]);
-
-    assigns \nothing;
-
-    behavior exists:
-        assumes \exists integer k;
-            (0 <= k < real_len(array, n)) ==>
-            strcmp(array[k], string) == 0;
-
-        ensures 0 <= \result < real_len(array, n);
-        ensures strcmp(array[\result], string) == 0;
-        ensures \forall integer k;
-            (0 <= k < \result) ==>
-                (
-                    array[k] != NULL &&
-                    strcmp(array[\result], string) != 0
-                );
-
-    behavior missing:
-        assumes \forall integer k;
-            (0 <= k < real_len(array, n)) ==>
-                strcmp(array[k], string) != 0;
-
-        ensures \result == -EINVAL;
-
-    complete behaviors;
-    disjoint behaviors;
+  requires n <= INT_MAX;
+  requires (real_len(array, n) == n) ==> \valid(array+(0..n-1));
+  requires (real_len(array, n) < n) ==> \valid(array+(0..real_len(array, n)));
+  requires valid_str(string);
+  requires \forall size_t i;
+    0 <= i < real_len(array, n) ==> valid_str(array[i]);
+
+  assigns \nothing;
+
+  behavior exists:
+    assumes \exists size_t k;
+      (0 <= k < real_len(array, n)) &&
+        strcmp(array[k], string) == 0;
+
+    ensures \result == match_stringn(array, real_len(array, n), string);
+    ensures 0 <= \result < real_len(array, n);
+    ensures strcmp(array[\result], string) == 0;
+    ensures \forall size_t k;
+      (0 <= k < \result) ==> (
+          strcmp(array[k], string) != 0
+      );
+
+  behavior missing:
+    assumes \forall size_t k;
+      (0 <= k < real_len(array, n)) ==> (
+          strcmp(array[k], string) != 0
+      );
+
+    ensures \result == -EINVAL;
+
+  complete behaviors;
+  disjoint behaviors;
 */
-
-int match_string(const char * const *array, size_t n, const char *string);
+int match_string(const char* const* array, size_t n, const char* string);
 
 #endif // __MATCH_STRING_H__
diff --git a/src/strcmp.h b/src/strcmp.h
index ac7141b..61d69c9 100644
--- a/src/strcmp.h
+++ b/src/strcmp.h
@@ -3,13 +3,12 @@
 
 #include "strlen.h"
 
-
 /*@ axiomatic StrCmp {
     logic integer cmp(unsigned char a, unsigned char b) =
        a == b ? 0 : a < b ? -1 : 1;
 
     logic integer strncmp(char *cs, char *ct, integer n) =
-       n == -1 ? 0 : (cs[n] == ct[n] ? strncmp(cs+1, ct+1, n-1) : cmp((u8 AENO)cs[n], (u8 AENO)ct[n]));
+       n == -1 ? 0 : (cs[0] == ct[0] ? strncmp(cs+1, ct+1, n-1) : cmp((u8 AENO)cs[0], (u8 AENO)ct[0]));
     logic integer strcmp(char *cs, char *ct) = strncmp(cs, ct, strlen(cs));
     predicate equaln(char *cs, char *ct, size_t n) = strncmp(cs, ct, n) == 0;
     predicate equal(char *cs, char *ct) = strcmp(cs, ct) == 0;
@@ -58,7 +57,7 @@
 /*@ requires valid_str(cs);
     requires valid_str(ct);
     assigns \nothing;
-    //ensures \result == strcmp(cs, ct);
+    ensures \result == strcmp(cs, ct);
     behavior equal:
        assumes \forall integer i; 0 <= i <= strlen(cs) ==> cs[i] == ct[i];
        ensures \result == 0;

From 4f7063525ca40a53e45dadc928f43c413eef560a Mon Sep 17 00:00:00 2001
From: Denis Efremov <efremov@linux.com>
Date: Thu, 25 Jul 2019 15:35:43 +0300
Subject: [PATCH 07/14] match_string: regenerate session

---
 .../whole_program/why3session.xml             | 34 +++++++++----------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/sessions/match_string.av/whole_program/why3session.xml b/sessions/match_string.av/whole_program/why3session.xml
index 07e6212..4e7b613 100644
--- a/sessions/match_string.av/whole_program/why3session.xml
+++ b/sessions/match_string.av/whole_program/why3session.xml
@@ -2,57 +2,57 @@
 <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
 "http://why3.lri.fr/why3session.dtd">
 <why3session shape_version="4">
-<prover id="0" name="Alt-Ergo" version="2.3.0" timelimit="15" steplimit="0" memlimit="4000"/>
-<prover id="1" name="CVC4" version="1.6" timelimit="15" steplimit="0" memlimit="4000"/>
-<file name="../match_string_c.mlw" expanded="true">
+<prover id="0" name="CVC4" version="1.6" alternative="noBV" timelimit="2" steplimit="0" memlimit="2000"/>
+<prover id="1" name="Alt-Ergo" version="2.3.0" timelimit="2" steplimit="0" memlimit="2000"/>
+<file name="../whole_program.mlw" expanded="true">
 <theory name="Function_match_string_safety" sum="b86f74d4c70a0ec59734d9cfb326ad6a" expanded="true">
  <goal name="WP_parameter match_string" expl="Function match_string, safety" expanded="true">
- <proof prover="1"><result status="valid" time="0.71" steps="84698"/></proof>
+ <proof prover="0"><result status="valid" time="0.15"/></proof>
  </goal>
 </theory>
 <theory name="Function_match_string_behaviors" sum="e9a8487a5845a16116ef184ad0f7ef9e" expanded="true">
  <goal name="WP_parameter match_string_ensures_default" expl="Function match_string, default behavior" expanded="true">
  <transf name="split_goal_wp" expanded="true">
   <goal name="WP_parameter match_string_ensures_default.1" expl="Behavior disjointness check">
-  <proof prover="1"><result status="valid" time="0.37" steps="40246"/></proof>
+  <proof prover="1"><result status="valid" time="0.05" steps="151"/></proof>
   </goal>
   <goal name="WP_parameter match_string_ensures_default.2" expl="Behavior completeness check">
-  <proof prover="1"><result status="valid" time="0.35" steps="40250"/></proof>
+  <proof prover="1"><result status="valid" time="0.05" steps="149"/></proof>
   </goal>
   <goal name="WP_parameter match_string_ensures_default.3" expl="loop invariant init">
-  <proof prover="1"><result status="valid" time="1.16" steps="116128"/></proof>
+  <proof prover="0"><result status="valid" time="0.27"/></proof>
   </goal>
   <goal name="WP_parameter match_string_ensures_default.4" expl="Assertion in line 53">
-  <proof prover="1"><result status="valid" time="0.62" steps="53702"/></proof>
+  <proof prover="0"><result status="valid" time="0.17"/></proof>
   </goal>
   <goal name="WP_parameter match_string_ensures_default.5" expl="Assertion in line 31">
-  <proof prover="1"><result status="valid" time="0.89" steps="69214"/></proof>
+  <proof prover="1"><result status="valid" time="0.18" steps="912"/></proof>
   </goal>
   <goal name="WP_parameter match_string_ensures_default.6" expl="Assertion in line 42">
-  <proof prover="1"><result status="valid" time="0.62" steps="59006"/></proof>
+  <proof prover="1"><result status="valid" time="0.38" steps="1355"/></proof>
   </goal>
   <goal name="WP_parameter match_string_ensures_default.7" expl="Assertion in line 48">
-  <proof prover="1"><result status="valid" time="0.52" steps="46943"/></proof>
+  <proof prover="1"><result status="valid" time="0.07" steps="190"/></proof>
   </goal>
   <goal name="WP_parameter match_string_ensures_default.8" expl="loop invariant preservation">
-  <proof prover="1"><result status="valid" time="0.73" steps="67603"/></proof>
+  <proof prover="1"><result status="valid" time="0.53" steps="3187"/></proof>
   </goal>
   <goal name="WP_parameter match_string_ensures_default.9" expl="Assertion in line 33">
-  <proof prover="0"><result status="valid" time="0.89" steps="3052"/></proof>
+  <proof prover="1"><result status="valid" time="0.61" steps="3052"/></proof>
   </goal>
   <goal name="WP_parameter match_string_ensures_default.10" expl="Assertion in line 35">
-  <proof prover="1"><result status="valid" time="0.55" steps="55666"/></proof>
+  <proof prover="1"><result status="valid" time="0.16" steps="1196"/></proof>
   </goal>
   <goal name="WP_parameter match_string_ensures_default.11" expl="Assertion in line 53">
-  <proof prover="1"><result status="valid" time="0.31" steps="43642"/></proof>
+  <proof prover="1"><result status="valid" time="0.03" steps="165"/></proof>
   </goal>
  </transf>
  </goal>
  <goal name="WP_parameter match_string_ensures_exists" expl="Function match_string, behavior exists" expanded="true">
- <proof prover="1"><result status="valid" time="5.37" steps="475910"/></proof>
+ <proof prover="1"><result status="valid" time="1.69" steps="9082"/></proof>
  </goal>
  <goal name="WP_parameter match_string_ensures_missing" expl="Function match_string, behavior missing" expanded="true">
- <proof prover="0"><result status="valid" time="0.30" steps="1206"/></proof>
+ <proof prover="1"><result status="valid" time="0.15" steps="1206"/></proof>
  </goal>
 </theory>
 <theory name="Axiomatic_Padding" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">

From 3b93699373747d931345c448f57ad1649257bac7 Mon Sep 17 00:00:00 2001
From: Denis Efremov <efremov@linux.com>
Date: Thu, 25 Jul 2019 15:35:58 +0300
Subject: [PATCH 08/14] match_string: restore original main

---
 src/match_string.c | 35 ++++++++++++++++++-----------------
 1 file changed, 18 insertions(+), 17 deletions(-)

diff --git a/src/match_string.c b/src/match_string.c
index 10d77ad..20c4fe9 100644
--- a/src/match_string.c
+++ b/src/match_string.c
@@ -57,23 +57,24 @@ int match_string(const char * const *array, size_t n, const char *string)
 	return -EINVAL;
 }
 
-#ifdef DUMMY_MAIN	
 
- int main(int argc, char *argv[])	
-{	
-	const char *str = "12345";	
-	const char *list[] = {	
-		"TEST",	
-		"TST",	
-		"TS",	
-		"T",	
-		"12345",	
-		NULL	
-	};	
+#ifdef DUMMY_MAIN
 
- 	match_string(list, -1, str);	
-	match_string(list, 3, str);	
+int main(int argc, char *argv[])
+{
+	const char *str = "12345";
+	const char *list[] = {
+		"TEST",
+		"TST",
+		"TS",
+		"T",
+		"12345",
+		NULL
+	};
+
+	match_string(list, -1, str);
+	match_string(list, 3, str);
 
- 	return 0;	
-}	
-#endif
\ No newline at end of file
+	return 0;
+}
+#endif

From 777541d36065f55d24ad4601866e683798a0786f Mon Sep 17 00:00:00 2001
From: Denis Efremov <efremov@linux.com>
Date: Thu, 25 Jul 2019 23:54:40 +0300
Subject: [PATCH 09/14] match_string: reindend

---
 .../whole_program/why3session.xml             |  48 +++---
 src/match_string.c                            |  56 +++----
 src/match_string.h                            | 149 ++++++++----------
 3 files changed, 111 insertions(+), 142 deletions(-)

diff --git a/sessions/match_string.av/whole_program/why3session.xml b/sessions/match_string.av/whole_program/why3session.xml
index 4e7b613..76a639d 100644
--- a/sessions/match_string.av/whole_program/why3session.xml
+++ b/sessions/match_string.av/whole_program/why3session.xml
@@ -5,12 +5,12 @@
 <prover id="0" name="CVC4" version="1.6" alternative="noBV" timelimit="2" steplimit="0" memlimit="2000"/>
 <prover id="1" name="Alt-Ergo" version="2.3.0" timelimit="2" steplimit="0" memlimit="2000"/>
 <file name="../whole_program.mlw" expanded="true">
-<theory name="Function_match_string_safety" sum="b86f74d4c70a0ec59734d9cfb326ad6a" expanded="true">
- <goal name="WP_parameter match_string" expl="Function match_string, safety" expanded="true">
- <proof prover="0"><result status="valid" time="0.15"/></proof>
+<theory name="Function_match_string_0_safety" sum="b86f74d4c70a0ec59734d9cfb326ad6a" expanded="true">
+ <goal name="WP_parameter match_string_0" expl="Function match_string, safety" expanded="true">
+ <proof prover="0"><result status="valid" time="0.16"/></proof>
  </goal>
 </theory>
-<theory name="Function_match_string_behaviors" sum="e9a8487a5845a16116ef184ad0f7ef9e" expanded="true">
+<theory name="Function_match_string_0_behaviors" sum="e9a8487a5845a16116ef184ad0f7ef9e" expanded="true">
  <goal name="WP_parameter match_string_ensures_default" expl="Function match_string, default behavior" expanded="true">
  <transf name="split_goal_wp" expanded="true">
   <goal name="WP_parameter match_string_ensures_default.1" expl="Behavior disjointness check">
@@ -20,39 +20,39 @@
   <proof prover="1"><result status="valid" time="0.05" steps="149"/></proof>
   </goal>
   <goal name="WP_parameter match_string_ensures_default.3" expl="loop invariant init">
-  <proof prover="0"><result status="valid" time="0.27"/></proof>
+  <proof prover="0"><result status="valid" time="0.21"/></proof>
   </goal>
-  <goal name="WP_parameter match_string_ensures_default.4" expl="Assertion in line 53">
-  <proof prover="0"><result status="valid" time="0.17"/></proof>
+  <goal name="WP_parameter match_string_ensures_default.4" expl="Assertion in line 41">
+  <proof prover="0"><result status="valid" time="0.14"/></proof>
   </goal>
-  <goal name="WP_parameter match_string_ensures_default.5" expl="Assertion in line 31">
-  <proof prover="1"><result status="valid" time="0.18" steps="912"/></proof>
+  <goal name="WP_parameter match_string_ensures_default.5" expl="Assertion in line 24">
+  <proof prover="1"><result status="valid" time="0.12" steps="912"/></proof>
   </goal>
-  <goal name="WP_parameter match_string_ensures_default.6" expl="Assertion in line 42">
-  <proof prover="1"><result status="valid" time="0.38" steps="1355"/></proof>
+  <goal name="WP_parameter match_string_ensures_default.6" expl="Assertion in line 32">
+  <proof prover="1"><result status="valid" time="0.30" steps="1355"/></proof>
   </goal>
-  <goal name="WP_parameter match_string_ensures_default.7" expl="Assertion in line 48">
-  <proof prover="1"><result status="valid" time="0.07" steps="190"/></proof>
+  <goal name="WP_parameter match_string_ensures_default.7" expl="Assertion in line 36">
+  <proof prover="1"><result status="valid" time="0.04" steps="190"/></proof>
   </goal>
   <goal name="WP_parameter match_string_ensures_default.8" expl="loop invariant preservation">
-  <proof prover="1"><result status="valid" time="0.53" steps="3187"/></proof>
+  <proof prover="1"><result status="valid" time="0.42" steps="3187"/></proof>
   </goal>
-  <goal name="WP_parameter match_string_ensures_default.9" expl="Assertion in line 33">
-  <proof prover="1"><result status="valid" time="0.61" steps="3052"/></proof>
+  <goal name="WP_parameter match_string_ensures_default.9" expl="Assertion in line 26">
+  <proof prover="1"><result status="valid" time="0.47" steps="3052"/></proof>
   </goal>
-  <goal name="WP_parameter match_string_ensures_default.10" expl="Assertion in line 35">
-  <proof prover="1"><result status="valid" time="0.16" steps="1196"/></proof>
+  <goal name="WP_parameter match_string_ensures_default.10" expl="Assertion in line 27">
+  <proof prover="1"><result status="valid" time="0.13" steps="1196"/></proof>
   </goal>
-  <goal name="WP_parameter match_string_ensures_default.11" expl="Assertion in line 53">
-  <proof prover="1"><result status="valid" time="0.03" steps="165"/></proof>
+  <goal name="WP_parameter match_string_ensures_default.11" expl="Assertion in line 41">
+  <proof prover="1"><result status="valid" time="0.04" steps="165"/></proof>
   </goal>
  </transf>
  </goal>
  <goal name="WP_parameter match_string_ensures_exists" expl="Function match_string, behavior exists" expanded="true">
- <proof prover="1"><result status="valid" time="1.69" steps="9082"/></proof>
+ <proof prover="1"><result status="valid" time="1.70" steps="9082"/></proof>
  </goal>
  <goal name="WP_parameter match_string_ensures_missing" expl="Function match_string, behavior missing" expanded="true">
- <proof prover="1"><result status="valid" time="0.15" steps="1206"/></proof>
+ <proof prover="1"><result status="valid" time="0.14" steps="1206"/></proof>
  </goal>
 </theory>
 <theory name="Axiomatic_Padding" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
@@ -893,9 +893,9 @@
 </theory>
 <theory name="Function_strlen_0_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_match_string" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+<theory name="Function_match_string_0" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_match_string_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+<theory name="Function_match_string_0_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
 </file>
 </why3session>
diff --git a/src/match_string.c b/src/match_string.c
index 20c4fe9..19c3aed 100644
--- a/src/match_string.c
+++ b/src/match_string.c
@@ -5,25 +5,18 @@ int match_string(const char * const *array, size_t n, const char *string)
 {
 	int index;
 	const char *item;
-	
-  /*@
-		loop invariant 0 <= index <= real_len(array, n) <= n;
-		loop invariant
-			\forall size_t k;
-				0 <= k < index ==>
-					strcmp(array[k], string) != 0;
-		loop invariant
-			\forall size_t k;
-				0 <= k < index ==>
-					array[k] != NULL;
-		loop invariant
-			\forall size_t k;
-					0 <= k < index ==>
-						valid_str(array[k]);
-		loop assigns index;
-		loop assigns item;
-		loop variant real_len(array, n) - index;
-  */
+
+	/*@ loop invariant 0 <= index <= real_len(array, n) <= n;
+	    loop invariant \forall size_t k;
+	       0 <= k < index ==> strcmp(array[k], string) != 0;
+	    loop invariant \forall size_t k;
+	       0 <= k < index ==> array[k] != NULL;
+	    loop invariant \forall size_t k;
+	       0 <= k < index ==> valid_str(array[k]);
+	    loop assigns index;
+	    loop assigns item;
+	    loop variant real_len(array, n) - index;
+	 */
 	for (index = 0; index < n; index++) {
 		item = array[index];
 		if (!item)
@@ -31,28 +24,23 @@ int match_string(const char * const *array, size_t n, const char *string)
 		//@ assert valid_str(array[index]);
 		if (!strcmp(item, string))
 			//@ assert strlen(item) == strlen(string);
-			/*@
-				assert \forall size_t i;
-					0 < i <= strlen(item) ==> item[i] == string[i];
+			/*@ assert \forall size_t i;
+			       0 < i <= strlen(item) ==> item[i] == string[i];
 			 */
 			return index;
 
-		/*@
-			assert
-				\exists size_t i;
-					(
-						0 <= i <= \min(strlen(item), strlen(string)) &&
-						item[i] != string[i]
-					);
-		*/
+		/*@ assert \exists size_t i;
+		       0 <= i <= \min(strlen(item), strlen(string)) &&
+		       item[i] != string[i];
+		 */
 		/*@ assert \forall size_t i;
-			0 <= i <= index ==> strcmp(array[i], string) != 0;
-		*/
+		       0 <= i <= index ==> strcmp(array[i], string) != 0;
+		 */
 	}
 
 	/*@ assert \forall size_t i;
-		0 <= i < real_len(array, n) ==> strcmp(array[i], string) != 0;
-	*/
+	       0 <= i < real_len(array, n) ==> strcmp(array[i], string) != 0;
+	 */
 
 	return -EINVAL;
 }
diff --git a/src/match_string.h b/src/match_string.h
index 72e3ad2..49c4e1d 100644
--- a/src/match_string.h
+++ b/src/match_string.h
@@ -5,7 +5,7 @@
 #include "strcmp.h"
 
 /**
- * match_stringn - matches given string in an array
+ * match_string - matches given string in an array
  * @array:	array of strings
  * @n:		number of strings in the array or -1 for NULL terminated arrays
  * @string:	string to match with
@@ -20,93 +20,74 @@
  * be overflowed
  */
 
-
 /*@ axiomatic MatchString {
 
-  logic size_t match_stringn(char** array, size_t n, char* string) =
-    n == 0
-      ? 0
-      : (
-        strcmp(array[0], string) == 0
-          ? 0
-          : match_stringn(array + 1, (size_t)(n - 1), string)
-      );
-
-  logic size_t real_len(char** array, size_t n) =
-    ((array[0] == NULL) || (n == 0))
-      ? 0
-      : (size_t)((size_t)1 + real_len(array + 1, (size_t)(n - 1)));
-
-  lemma real_len_not_nulls:
-    \forall char** array, size_t i, len;
-      0 <= i < real_len(array, len) ==> array[i] != NULL;
-
-  lemma real_len_terminate:
-     \forall char** array, size_t i, len;
-      i == real_len(array, len) ==>
-        array[i] == NULL || i == len;
-
-  lemma real_len_maximum:
-    \forall char** array, size_t len;
-      (\forall size_t i; i < len ==> array[i] != NULL) ==>
-        real_len(array, len) == len;
-
-  lemma match_string_definition:
-    \forall char** array, char* string, size_t i, len;
-      (
-        0 <= i < real_len(array, len) &&
-        (
-          \forall size_t j;
-            0 <= j < i ==> strcmp(array[j], string) != 0
-        ) &&
-        strcmp(array[i], string) == 0
-      ) ==>
-      match_stringn(array, real_len(array, len), string) == i;
-
-  lemma strcmp_corollary:
-    \forall char* string1, char* string2;
-      (
-        valid_str(string1) &&
-        valid_str(string2) &&
-        strcmp(string1, string2) != 0
-      ) ==> (
-          \exists size_t i;
-            0 <= i <= \min(strlen(string1), strlen(string2)) &&
-              string1[i] != string2[i]
-      );
-}
+    logic size_t match_string(char **a, size_t n, char *s) =
+       n == 0 ?
+          0
+       :
+          (strcmp(a[0], s) == 0 ? 0 : match_string(a + 1, (size_t)(n - 1), s));
+
+    logic size_t real_len(char **a, size_t n) =
+       ((a[0] == NULL) || (n == 0)) ?
+          0
+       :
+          (size_t)(1 + real_len(a + 1, (size_t)(n - 1)));
+
+    lemma real_len_not_nulls:
+       \forall char **a, size_t i, len;
+          0 <= i < real_len(a, len) ==> a[i] != NULL;
+
+    lemma real_len_terminate:
+       \forall char **a, size_t i, len;
+          i == real_len(a, len) ==> a[i] == NULL || i == len;
+
+    lemma real_len_maximum:
+       \forall char** array, size_t len;
+          (\forall size_t i; i < len ==> array[i] != NULL) ==>
+          real_len(array, len) == len;
+
+    lemma match_string_definition:
+       \forall char** array, char* string, size_t i, len;
+          0 <= i < real_len(array, len) &&
+          (\forall size_t j; 0 <= j < i ==> strcmp(array[j], string) != 0) &&
+          strcmp(array[i], string) == 0 ==>
+          match_string(array, real_len(array, len), string) == i;
+
+    lemma strcmp_corollary:
+       \forall char* string1, char* string2;
+          valid_str(string1) &&
+          valid_str(string2) &&
+          strcmp(string1, string2) != 0 ==>
+	  (\exists size_t i;
+             0 <= i <= \min(strlen(string1), strlen(string2)) &&
+             string1[i] != string2[i]);
+    }
  */
 
-/*@
-  requires n <= INT_MAX;
-  requires (real_len(array, n) == n) ==> \valid(array+(0..n-1));
-  requires (real_len(array, n) < n) ==> \valid(array+(0..real_len(array, n)));
-  requires valid_str(string);
-  requires \forall size_t i;
-    0 <= i < real_len(array, n) ==> valid_str(array[i]);
-
-  assigns \nothing;
-
-  behavior exists:
-    assumes \exists size_t k;
-      (0 <= k < real_len(array, n)) &&
-        strcmp(array[k], string) == 0;
-
-    ensures \result == match_stringn(array, real_len(array, n), string);
-    ensures 0 <= \result < real_len(array, n);
-    ensures strcmp(array[\result], string) == 0;
-    ensures \forall size_t k;
-      (0 <= k < \result) ==> (
-          strcmp(array[k], string) != 0
-      );
-
-  behavior missing:
-    assumes \forall size_t k;
-      (0 <= k < real_len(array, n)) ==> (
-          strcmp(array[k], string) != 0
-      );
-
-    ensures \result == -EINVAL;
+/*@ requires n <= INT_MAX;
+    requires (real_len(array, n) == n) ==> \valid(array+(0..n-1));
+    requires (real_len(array, n) < n) ==> \valid(array+(0..real_len(array, n)));
+    requires valid_str(string);
+    requires \forall size_t i;
+       0 <= i < real_len(array, n) ==> valid_str(array[i]);
+
+    assigns \nothing;
+
+    behavior exists:
+       assumes \exists size_t k;
+          (0 <= k < real_len(array, n)) &&
+          strcmp(array[k], string) == 0;
+       ensures \result == match_string(array, real_len(array, n), string);
+       ensures 0 <= \result < real_len(array, n);
+       ensures strcmp(array[\result], string) == 0;
+       ensures \forall size_t k;
+          0 <= k < \result ==> strcmp(array[k], string) != 0;
+
+    behavior missing:
+       assumes \forall size_t k;
+          0 <= k < real_len(array, n) ==> strcmp(array[k], string) != 0;
+       ensures \result == -EINVAL;
 
   complete behaviors;
   disjoint behaviors;

From d25b3f1aedf6c52cf4affb6dc8a808df0db53740 Mon Sep 17 00:00:00 2001
From: Denis Efremov <efremov@linux.com>
Date: Fri, 26 Jul 2019 00:11:38 +0300
Subject: [PATCH 10/14] match_string: simplify specification

---
 .../whole_program/why3session.xml             | 43 ++++++-------------
 src/match_string.c                            | 18 +-------
 src/match_string.h                            |  6 +--
 3 files changed, 19 insertions(+), 48 deletions(-)

diff --git a/sessions/match_string.av/whole_program/why3session.xml b/sessions/match_string.av/whole_program/why3session.xml
index 76a639d..13e45d9 100644
--- a/sessions/match_string.av/whole_program/why3session.xml
+++ b/sessions/match_string.av/whole_program/why3session.xml
@@ -5,54 +5,39 @@
 <prover id="0" name="CVC4" version="1.6" alternative="noBV" timelimit="2" steplimit="0" memlimit="2000"/>
 <prover id="1" name="Alt-Ergo" version="2.3.0" timelimit="2" steplimit="0" memlimit="2000"/>
 <file name="../whole_program.mlw" expanded="true">
-<theory name="Function_match_string_0_safety" sum="b86f74d4c70a0ec59734d9cfb326ad6a" expanded="true">
+<theory name="Function_match_string_0_safety" sum="1f8cc5c24984d52512517b21ae5a2b91" expanded="true">
  <goal name="WP_parameter match_string_0" expl="Function match_string, safety" expanded="true">
- <proof prover="0"><result status="valid" time="0.16"/></proof>
+ <proof prover="0"><result status="valid" time="0.14"/></proof>
  </goal>
 </theory>
-<theory name="Function_match_string_0_behaviors" sum="e9a8487a5845a16116ef184ad0f7ef9e" expanded="true">
+<theory name="Function_match_string_0_behaviors" sum="2f161d4328733cc19f2abd76a447ae37" expanded="true">
  <goal name="WP_parameter match_string_ensures_default" expl="Function match_string, default behavior" expanded="true">
  <transf name="split_goal_wp" expanded="true">
   <goal name="WP_parameter match_string_ensures_default.1" expl="Behavior disjointness check">
-  <proof prover="1"><result status="valid" time="0.05" steps="151"/></proof>
+  <proof prover="1"><result status="valid" time="0.04" steps="151"/></proof>
   </goal>
   <goal name="WP_parameter match_string_ensures_default.2" expl="Behavior completeness check">
-  <proof prover="1"><result status="valid" time="0.05" steps="149"/></proof>
+  <proof prover="1"><result status="valid" time="0.04" steps="149"/></proof>
   </goal>
   <goal name="WP_parameter match_string_ensures_default.3" expl="loop invariant init">
-  <proof prover="0"><result status="valid" time="0.21"/></proof>
+  <proof prover="0"><result status="valid" time="0.19"/></proof>
   </goal>
-  <goal name="WP_parameter match_string_ensures_default.4" expl="Assertion in line 41">
-  <proof prover="0"><result status="valid" time="0.14"/></proof>
+  <goal name="WP_parameter match_string_ensures_default.4" expl="Assertion in line 21">
+  <proof prover="1"><result status="valid" time="0.11" steps="912"/></proof>
   </goal>
-  <goal name="WP_parameter match_string_ensures_default.5" expl="Assertion in line 24">
-  <proof prover="1"><result status="valid" time="0.12" steps="912"/></proof>
+  <goal name="WP_parameter match_string_ensures_default.5" expl="Assertion in line 25">
+  <proof prover="1"><result status="valid" time="1.34" steps="9983"/></proof>
   </goal>
-  <goal name="WP_parameter match_string_ensures_default.6" expl="Assertion in line 32">
-  <proof prover="1"><result status="valid" time="0.30" steps="1355"/></proof>
-  </goal>
-  <goal name="WP_parameter match_string_ensures_default.7" expl="Assertion in line 36">
-  <proof prover="1"><result status="valid" time="0.04" steps="190"/></proof>
-  </goal>
-  <goal name="WP_parameter match_string_ensures_default.8" expl="loop invariant preservation">
-  <proof prover="1"><result status="valid" time="0.42" steps="3187"/></proof>
-  </goal>
-  <goal name="WP_parameter match_string_ensures_default.9" expl="Assertion in line 26">
-  <proof prover="1"><result status="valid" time="0.47" steps="3052"/></proof>
-  </goal>
-  <goal name="WP_parameter match_string_ensures_default.10" expl="Assertion in line 27">
-  <proof prover="1"><result status="valid" time="0.13" steps="1196"/></proof>
-  </goal>
-  <goal name="WP_parameter match_string_ensures_default.11" expl="Assertion in line 41">
-  <proof prover="1"><result status="valid" time="0.04" steps="165"/></proof>
+  <goal name="WP_parameter match_string_ensures_default.6" expl="loop invariant preservation">
+  <proof prover="1"><result status="valid" time="0.31" steps="2523"/></proof>
   </goal>
  </transf>
  </goal>
  <goal name="WP_parameter match_string_ensures_exists" expl="Function match_string, behavior exists" expanded="true">
- <proof prover="1"><result status="valid" time="1.70" steps="9082"/></proof>
+ <proof prover="1"><result status="valid" time="1.44" steps="6473"/></proof>
  </goal>
  <goal name="WP_parameter match_string_ensures_missing" expl="Function match_string, behavior missing" expanded="true">
- <proof prover="1"><result status="valid" time="0.14" steps="1206"/></proof>
+ <proof prover="1"><result status="valid" time="0.32" steps="2393"/></proof>
  </goal>
 </theory>
 <theory name="Axiomatic_Padding" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
diff --git a/src/match_string.c b/src/match_string.c
index 19c3aed..a43e6c3 100644
--- a/src/match_string.c
+++ b/src/match_string.c
@@ -9,13 +9,10 @@ int match_string(const char * const *array, size_t n, const char *string)
 	/*@ loop invariant 0 <= index <= real_len(array, n) <= n;
 	    loop invariant \forall size_t k;
 	       0 <= k < index ==> strcmp(array[k], string) != 0;
-	    loop invariant \forall size_t k;
-	       0 <= k < index ==> array[k] != NULL;
 	    loop invariant \forall size_t k;
 	       0 <= k < index ==> valid_str(array[k]);
-	    loop assigns index;
-	    loop assigns item;
-	    loop variant real_len(array, n) - index;
+	    loop assigns index, item;
+	    loop variant INT_MAX - index;
 	 */
 	for (index = 0; index < n; index++) {
 		item = array[index];
@@ -23,25 +20,14 @@ int match_string(const char * const *array, size_t n, const char *string)
 			break;
 		//@ assert valid_str(array[index]);
 		if (!strcmp(item, string))
-			//@ assert strlen(item) == strlen(string);
-			/*@ assert \forall size_t i;
-			       0 < i <= strlen(item) ==> item[i] == string[i];
-			 */
 			return index;
 
 		/*@ assert \exists size_t i;
 		       0 <= i <= \min(strlen(item), strlen(string)) &&
 		       item[i] != string[i];
 		 */
-		/*@ assert \forall size_t i;
-		       0 <= i <= index ==> strcmp(array[i], string) != 0;
-		 */
 	}
 
-	/*@ assert \forall size_t i;
-	       0 <= i < real_len(array, n) ==> strcmp(array[i], string) != 0;
-	 */
-
 	return -EINVAL;
 }
 
diff --git a/src/match_string.h b/src/match_string.h
index 49c4e1d..d021c01 100644
--- a/src/match_string.h
+++ b/src/match_string.h
@@ -89,9 +89,9 @@
           0 <= k < real_len(array, n) ==> strcmp(array[k], string) != 0;
        ensures \result == -EINVAL;
 
-  complete behaviors;
-  disjoint behaviors;
+    complete behaviors;
+    disjoint behaviors;
 */
-int match_string(const char* const* array, size_t n, const char* string);
+int match_string(const char * const *array, size_t n, const char *string);
 
 #endif // __MATCH_STRING_H__

From 87faa30d781cec1e2117a4d114c410ecbdfdcad4 Mon Sep 17 00:00:00 2001
From: Denis Efremov <efremov@linux.com>
Date: Sun, 28 Jul 2019 18:46:48 +0300
Subject: [PATCH 11/14] strcmp: add logic function

---
 .../strcmp.av/whole_program/why3session.xml   | 112 ++++++++++++++----
 src/strcmp.c                                  |   2 +-
 2 files changed, 93 insertions(+), 21 deletions(-)

diff --git a/sessions/strcmp.av/whole_program/why3session.xml b/sessions/strcmp.av/whole_program/why3session.xml
index aef36a2..53ff32f 100644
--- a/sessions/strcmp.av/whole_program/why3session.xml
+++ b/sessions/strcmp.av/whole_program/why3session.xml
@@ -5,46 +5,104 @@
 <prover id="0" name="CVC4" version="1.6" alternative="noBV" timelimit="2" steplimit="0" memlimit="2000"/>
 <prover id="1" name="Alt-Ergo" version="2.3.0" timelimit="2" steplimit="0" memlimit="2000"/>
 <prover id="2" name="CVC4" version="1.6" timelimit="2" steplimit="0" memlimit="2000"/>
-<file name="../whole_program.mlw">
-<theory name="Function_strcmp_safety" sum="6c201068f76cc4a08c4bb7a825f3ee9c">
- <goal name="WP_parameter strcmp" expl="Function strcmp, safety">
- <proof prover="1"><result status="valid" time="0.71" steps="3591"/></proof>
+<file name="../whole_program.mlw" expanded="true">
+<theory name="Function_strcmp_0_safety" sum="3fa2f1de77d6b4509201a03d07858758">
+ <goal name="WP_parameter strcmp_0" expl="Function strcmp, safety">
+ <proof prover="1"><result status="valid" time="0.70" steps="4631"/></proof>
  </goal>
 </theory>
-<theory name="Function_strcmp_behaviors" sum="728c8579b8b631e31dd3dc6f1a19fffe">
+<theory name="Function_strcmp_0_behaviors" sum="500665610de1eb622b0c0ec7ef3011be">
  <goal name="WP_parameter strcmp_ensures_default" expl="Function strcmp, default behavior">
  <transf name="split_goal_wp">
   <goal name="WP_parameter strcmp_ensures_default.1" expl="Behavior disjointness check">
-  <proof prover="1"><result status="valid" time="0.03" steps="155"/></proof>
+  <proof prover="1"><result status="valid" time="0.04" steps="155"/></proof>
   </goal>
   <goal name="WP_parameter strcmp_ensures_default.2" expl="Behavior completeness check">
-  <proof prover="1"><result status="valid" time="0.03" steps="153"/></proof>
+  <proof prover="1"><result status="valid" time="0.04" steps="153"/></proof>
   </goal>
   <goal name="WP_parameter strcmp_ensures_default.3" expl="Assertion in line 7">
-  <proof prover="2"><result status="valid" time="0.06" steps="25173"/></proof>
+  <proof prover="2"><result status="valid" time="0.06" steps="27892"/></proof>
   </goal>
   <goal name="WP_parameter strcmp_ensures_default.4" expl="loop invariant init">
-  <proof prover="1"><result status="valid" time="0.13" steps="1114"/></proof>
+  <proof prover="1"><result status="valid" time="0.16" steps="1238"/></proof>
   </goal>
   <goal name="WP_parameter strcmp_ensures_default.5" expl="Assertion in line 27">
-  <proof prover="1"><result status="valid" time="0.40" steps="2253"/></proof>
+  <proof prover="1"><result status="valid" time="0.40" steps="2333"/></proof>
   </goal>
-  <goal name="WP_parameter strcmp_ensures_default.6" expl="Assertion in line 27">
-  <proof prover="1"><result status="valid" time="0.39" steps="2136"/></proof>
+  <goal name="WP_parameter strcmp_ensures_default.6" expl="Ensures clause (Postcondition)">
+  <proof prover="1"><result status="valid" time="0.83" steps="2423"/></proof>
   </goal>
-  <goal name="WP_parameter strcmp_ensures_default.7" expl="Assertion in line 37">
-  <proof prover="1"><result status="valid" time="0.32" steps="1521"/></proof>
+  <goal name="WP_parameter strcmp_ensures_default.7" expl="Ensures clause (Postcondition)">
+  <proof prover="1"><result status="valid" time="0.03" steps="217"/></proof>
   </goal>
-  <goal name="WP_parameter strcmp_ensures_default.8" expl="loop invariant preservation">
-  <proof prover="0"><result status="valid" time="0.59"/></proof>
+  <goal name="WP_parameter strcmp_ensures_default.8" expl="Assertion in line 27">
+  <proof prover="1"><result status="valid" time="0.39" steps="2123"/></proof>
+  </goal>
+  <goal name="WP_parameter strcmp_ensures_default.9" expl="Ensures clause (Postcondition)">
+  <proof prover="1"><result status="valid" time="0.03" steps="213"/></proof>
+  </goal>
+  <goal name="WP_parameter strcmp_ensures_default.10" expl="Ensures clause (Postcondition)">
+  <proof prover="1"><result status="valid" time="0.87" steps="2885"/></proof>
+  </goal>
+  <goal name="WP_parameter strcmp_ensures_default.11" expl="Ensures clause (Postcondition)">
+  <proof prover="1"><result status="valid" time="1.92" steps="3428"/></proof>
+  </goal>
+  <goal name="WP_parameter strcmp_ensures_default.12" expl="Assertion in line 37">
+  <proof prover="1"><result status="valid" time="0.32" steps="1533"/></proof>
+  </goal>
+  <goal name="WP_parameter strcmp_ensures_default.13" expl="loop invariant preservation">
+  <transf name="split_goal_wp">
+   <goal name="WP_parameter strcmp_ensures_default.13.1" expl="Function strcmp, default behavior">
+   <proof prover="0"><result status="valid" time="0.26"/></proof>
+   </goal>
+   <goal name="WP_parameter strcmp_ensures_default.13.2" expl="Function strcmp, default behavior">
+   <proof prover="0"><result status="valid" time="0.29"/></proof>
+   </goal>
+   <goal name="WP_parameter strcmp_ensures_default.13.3" expl="Function strcmp, default behavior">
+   <proof prover="1"><result status="valid" time="0.04" steps="211"/></proof>
+   </goal>
+   <goal name="WP_parameter strcmp_ensures_default.13.4" expl="Function strcmp, default behavior">
+   <proof prover="1"><result status="valid" time="0.04" steps="211"/></proof>
+   </goal>
+   <goal name="WP_parameter strcmp_ensures_default.13.5" expl="Function strcmp, default behavior">
+   <proof prover="1"><result status="valid" time="0.04" steps="211"/></proof>
+   </goal>
+   <goal name="WP_parameter strcmp_ensures_default.13.6" expl="Function strcmp, default behavior">
+   <proof prover="0"><result status="valid" time="0.30"/></proof>
+   </goal>
+   <goal name="WP_parameter strcmp_ensures_default.13.7" expl="Function strcmp, default behavior">
+   <proof prover="1"><result status="valid" time="0.05" steps="219"/></proof>
+   </goal>
+   <goal name="WP_parameter strcmp_ensures_default.13.8" expl="Function strcmp, default behavior">
+   <proof prover="1"><result status="valid" time="0.05" steps="219"/></proof>
+   </goal>
+   <goal name="WP_parameter strcmp_ensures_default.13.9" expl="Function strcmp, default behavior">
+   <proof prover="1"><result status="valid" time="0.04" steps="219"/></proof>
+   </goal>
+   <goal name="WP_parameter strcmp_ensures_default.13.10" expl="Function strcmp, default behavior">
+   <proof prover="1"><result status="valid" time="0.20" steps="917"/></proof>
+   </goal>
+   <goal name="WP_parameter strcmp_ensures_default.13.11" expl="Function strcmp, default behavior">
+   <proof prover="1"><result status="valid" time="0.05" steps="227"/></proof>
+   </goal>
+   <goal name="WP_parameter strcmp_ensures_default.13.12" expl="Function strcmp, default behavior">
+   <proof prover="1"><result status="valid" time="0.06" steps="233"/></proof>
+   </goal>
+   <goal name="WP_parameter strcmp_ensures_default.13.13" expl="Function strcmp, default behavior">
+   <proof prover="1"><result status="valid" time="0.25" steps="1045"/></proof>
+   </goal>
+   <goal name="WP_parameter strcmp_ensures_default.13.14" expl="Function strcmp, default behavior">
+   <proof prover="1"><result status="valid" time="0.87" steps="3255"/></proof>
+   </goal>
+  </transf>
   </goal>
  </transf>
  </goal>
  <goal name="WP_parameter strcmp_ensures_equal" expl="Function strcmp, behavior equal">
- <proof prover="1"><result status="valid" time="0.05" steps="211"/></proof>
+ <proof prover="1"><result status="valid" time="0.05" steps="213"/></proof>
  </goal>
  <goal name="WP_parameter strcmp_ensures_not_equal" expl="Function strcmp, behavior not_equal">
- <proof prover="0"><result status="valid" time="1.26"/></proof>
+ <proof prover="0"><result status="valid" time="1.20"/></proof>
  </goal>
 </theory>
 <theory name="Axiomatic_Padding" sum="d41d8cd98f00b204e9800998ecf8427e">
@@ -351,6 +409,20 @@
 </theory>
 <theory name="Axiomatic_LF__Axiomatic__valid_str_shift" sum="d41d8cd98f00b204e9800998ecf8427e">
 </theory>
+<theory name="Axiomatic_StrCmp" sum="cee16887b1887da38f5c627e43221b7c" expanded="true">
+ <goal name="Range" expl="Lemma range">
+ </goal>
+ <goal name="Defn_equal" expl="Lemma defn_equal">
+ </goal>
+ <goal name="Defn_less" expl="Lemma defn_less">
+ </goal>
+ <goal name="Defn_greater" expl="Lemma defn_greater">
+ </goal>
+ <goal name="Iter_one" expl="Lemma iter_one">
+ </goal>
+ <goal name="At_end" expl="Lemma at_end">
+ </goal>
+</theory>
 <theory name="Safe_bit_uint8_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
 </theory>
 <theory name="Safe_bit_int32_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
@@ -843,9 +915,9 @@
 </theory>
 <theory name="Function_strlen_0_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
 </theory>
-<theory name="Function_strcmp" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_strcmp_0" sum="d41d8cd98f00b204e9800998ecf8427e">
 </theory>
-<theory name="Function_strcmp_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_strcmp_0_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
 </theory>
 </file>
 </why3session>
diff --git a/src/strcmp.c b/src/strcmp.c
index 266f99d..0b0775b 100644
--- a/src/strcmp.c
+++ b/src/strcmp.c
@@ -15,7 +15,7 @@ int strcmp(const char *cs, const char *ct)
 	    loop invariant \forall integer i; 0 <= i < cs - \at(cs,Pre) ==>
 	                   \at(cs,Pre)[i] == \at(ct,Pre)[i];
 	    loop invariant strlen(cs) == strlen(\at(cs,Pre)) - (cs - \at(cs,Pre));
-	    //loop invariant strcmp(\at(cs,Pre), \at(ct,Pre)) == strcmp(cs, ct);
+	    loop invariant strcmp(\at(cs,Pre), \at(ct,Pre)) == strcmp(cs, ct);
 	    loop assigns cs, ct;
 	    loop variant strlen(\at(cs,Pre)) - (cs - \at(cs,Pre));
 	*/

From 8345738083588a1438c2f96b4a48b2dea0f71d32 Mon Sep 17 00:00:00 2001
From: Denis Efremov <efremov@linux.com>
Date: Sun, 28 Jul 2019 18:48:12 +0300
Subject: [PATCH 12/14] strncmp: move contract to the header

---
 README.md     |  2 +-
 src/strncmp.c | 26 --------------------------
 src/strncmp.h | 26 ++++++++++++++++++++++++++
 3 files changed, 27 insertions(+), 27 deletions(-)

diff --git a/README.md b/README.md
index c585b96..0c16a67 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,7 @@ The repository contains ACSL specifications for the Linux kernel functions. The
 | 8  | strcat        | proved | not required   |           | usr strcmp in ensures |
 | 9  | strchr        | proved | proved         | yes       |         |
 | 10 | strchrnul     | proved | proved         | yes       |         |
-| 11 | strcmp        | proved |                | yes       |         |
+| 11 | strcmp        | proved | proved         | yes       |         |
 | 12 | strcpy        | proved | not required   |           | use strcmp logic function |
 | 13 | strcspn       | proved | proved         | yes       |         |
 | 14 | strim         |        | not required   | !const    |         |
diff --git a/src/strncmp.c b/src/strncmp.c
index fbd183e..e74d398 100644
--- a/src/strncmp.c
+++ b/src/strncmp.c
@@ -1,31 +1,5 @@
 #include "strncmp.h"
 
-/*@ requires valid_strn(cs, count);
-    requires valid_strn(ct, count);
-    assigns \nothing;
-    ensures \result == -1 || \result == 0 || \result == 1;
-    behavior equal:
-       assumes count == 0 ||
-               count > 0  &&
-               (\forall integer i; 0 <= i < strnlen(cs, count) ==> (cs[i] == ct[i])) &&
-               strnlen(cs, count) == strnlen(ct, count);
-       ensures \result == 0;
-    behavior len_diff:
-       assumes count > 0;
-       assumes \forall integer i; 0 <= i < strnlen(cs, count) ==> (cs[i] == ct[i]);
-       assumes strnlen(cs, count) != strnlen(ct, count);
-       ensures strnlen(cs, count) < strnlen(ct, count) ==> \result == -1;
-       ensures strnlen(cs, count) > strnlen(ct, count) ==> \result == 1;
-    behavior not_equal:
-       assumes count > 0;
-       assumes \exists integer i; 0 <= i < strnlen(cs, count) && cs[i] != ct[i];
-       ensures \exists integer i; 0 <= i < strnlen(cs, count) &&
-               (\forall integer j; 0 <= j < i ==> cs[j] == ct[j]) &&
-               (cs[i] != ct[i]) &&
-               ((u8 AENO)cs[i] < (u8 AENO)ct[i] ? \result == -1 : \result == 1);
-    complete behaviors;
-    disjoint behaviors;
- */
 int strncmp(const char *cs, const char *ct, size_t count)
 {
 	unsigned char c1, c2;
diff --git a/src/strncmp.h b/src/strncmp.h
index 34cd370..49c3fdb 100644
--- a/src/strncmp.h
+++ b/src/strncmp.h
@@ -41,6 +41,32 @@
     }
  */
 
+/*@ requires valid_strn(cs, count);
+    requires valid_strn(ct, count);
+    assigns \nothing;
+    ensures \result == -1 || \result == 0 || \result == 1;
+    behavior equal:
+       assumes count == 0 ||
+               count > 0  &&
+               (\forall integer i; 0 <= i < strnlen(cs, count) ==> (cs[i] == ct[i])) &&
+               strnlen(cs, count) == strnlen(ct, count);
+       ensures \result == 0;
+    behavior len_diff:
+       assumes count > 0;
+       assumes \forall integer i; 0 <= i < strnlen(cs, count) ==> (cs[i] == ct[i]);
+       assumes strnlen(cs, count) != strnlen(ct, count);
+       ensures strnlen(cs, count) < strnlen(ct, count) ==> \result == -1;
+       ensures strnlen(cs, count) > strnlen(ct, count) ==> \result == 1;
+    behavior not_equal:
+       assumes count > 0;
+       assumes \exists integer i; 0 <= i < strnlen(cs, count) && cs[i] != ct[i];
+       ensures \exists integer i; 0 <= i < strnlen(cs, count) &&
+               (\forall integer j; 0 <= j < i ==> cs[j] == ct[j]) &&
+               (cs[i] != ct[i]) &&
+               ((u8 AENO)cs[i] < (u8 AENO)ct[i] ? \result == -1 : \result == 1);
+    complete behaviors;
+    disjoint behaviors;
+ */
 int strncmp(const char *cs, const char *ct, size_t count);
 
 #endif // __STRNCMP_H__

From bbde78dfcde2efb006adc1a5939972d61add2a09 Mon Sep 17 00:00:00 2001
From: Denis Efremov <efremov@linux.com>
Date: Sun, 28 Jul 2019 19:14:49 +0300
Subject: [PATCH 13/14] strnlen: session update

---
 .../strnlen.av/whole_program/why3session.xml  | 978 +++++++++---------
 1 file changed, 489 insertions(+), 489 deletions(-)

diff --git a/sessions/strnlen.av/whole_program/why3session.xml b/sessions/strnlen.av/whole_program/why3session.xml
index 6c23402..a4eeb75 100644
--- a/sessions/strnlen.av/whole_program/why3session.xml
+++ b/sessions/strnlen.av/whole_program/why3session.xml
@@ -4,18 +4,18 @@
 <why3session shape_version="4">
 <prover id="0" name="CVC4" version="1.6" alternative="noBV" timelimit="2" steplimit="0" memlimit="2000"/>
 <prover id="1" name="Alt-Ergo" version="2.3.0" timelimit="2" steplimit="0" memlimit="2000"/>
-<file name="../whole_program.mlw">
-<theory name="Function_strnlen_0_safety" sum="881913f87f0b83683671ad442d093cc2">
- <goal name="WP_parameter strnlen_0" expl="Function strnlen, safety">
+<file name="../whole_program.mlw" expanded="true">
+<theory name="Function_strnlen_0_safety" sum="881913f87f0b83683671ad442d093cc2" expanded="true">
+ <goal name="WP_parameter strnlen_0" expl="Function strnlen, safety" expanded="true">
  <proof prover="0"><result status="valid" time="0.15"/></proof>
  </goal>
 </theory>
-<theory name="Function_strnlen_0_behaviors" sum="2d90d84fd0de19306da3753af0a000eb">
- <goal name="WP_parameter strnlen_ensures_count_len" expl="Function strnlen, behavior count_len">
- <proof prover="1"><result status="valid" time="0.10" steps="552"/></proof>
+<theory name="Function_strnlen_0_behaviors" sum="2d90d84fd0de19306da3753af0a000eb" expanded="true">
+ <goal name="WP_parameter strnlen_ensures_count_len" expl="Function strnlen, behavior count_len" expanded="true">
+ <proof prover="1"><result status="valid" time="0.09" steps="552"/></proof>
  </goal>
- <goal name="WP_parameter strnlen_ensures_default" expl="Function strnlen, default behavior">
- <transf name="split_goal_wp">
+ <goal name="WP_parameter strnlen_ensures_default" expl="Function strnlen, default behavior" expanded="true">
+ <transf name="split_goal_wp" expanded="true">
   <goal name="WP_parameter strnlen_ensures_default.1" expl="Behavior disjointness check">
   <proof prover="1"><result status="valid" time="0.02" steps="150"/></proof>
   </goal>
@@ -23,43 +23,43 @@
   <proof prover="1"><result status="valid" time="0.02" steps="148"/></proof>
   </goal>
   <goal name="WP_parameter strnlen_ensures_default.3" expl="loop invariant init">
-  <proof prover="1"><result status="valid" time="0.14" steps="866"/></proof>
+  <proof prover="1"><result status="valid" time="0.13" steps="866"/></proof>
   </goal>
   <goal name="WP_parameter strnlen_ensures_default.4" expl="loop invariant preservation">
-  <proof prover="0"><result status="valid" time="0.97"/></proof>
+  <proof prover="0"><result status="valid" time="1.11"/></proof>
   </goal>
   <goal name="WP_parameter strnlen_ensures_default.5" expl="Ensures clause (Postcondition)">
-  <proof prover="1"><result status="valid" time="0.10" steps="431"/></proof>
+  <proof prover="1"><result status="valid" time="0.07" steps="431"/></proof>
   </goal>
   <goal name="WP_parameter strnlen_ensures_default.6" expl="Ensures clause (Postcondition)">
-  <proof prover="1"><result status="valid" time="0.07" steps="404"/></proof>
+  <proof prover="1"><result status="valid" time="0.06" steps="404"/></proof>
   </goal>
  </transf>
  </goal>
- <goal name="WP_parameter strnlen_ensures_null_byte" expl="Function strnlen, behavior null_byte">
- <proof prover="0"><result status="valid" time="0.11"/></proof>
+ <goal name="WP_parameter strnlen_ensures_null_byte" expl="Function strnlen, behavior null_byte" expanded="true">
+ <proof prover="0"><result status="valid" time="0.07"/></proof>
  </goal>
 </theory>
-<theory name="Function_elim_valid_strn_safety" sum="2ea6be1f82deb67215ea134ed15df377">
- <goal name="WP_parameter elim_valid_strn" expl="Function elim_valid_strn, safety">
- <proof prover="1"><result status="valid" time="0.52" steps="2401"/></proof>
+<theory name="Function_elim_valid_strn_safety" sum="2ea6be1f82deb67215ea134ed15df377" expanded="true">
+ <goal name="WP_parameter elim_valid_strn" expl="Function elim_valid_strn, safety" expanded="true">
+ <proof prover="1"><result status="valid" time="0.50" steps="2401"/></proof>
  </goal>
 </theory>
-<theory name="Function_elim_valid_strn_behaviors" sum="313104972206698924b42ef78d02e317">
- <goal name="WP_parameter elim_valid_strn_ensures_default" expl="Function elim_valid_strn, default behavior">
- <proof prover="0"><result status="valid" time="1.40"/></proof>
+<theory name="Function_elim_valid_strn_behaviors" sum="313104972206698924b42ef78d02e317" expanded="true">
+ <goal name="WP_parameter elim_valid_strn_ensures_default" expl="Function elim_valid_strn, default behavior" expanded="true">
+ <proof prover="0"><result status="valid" time="0.89"/></proof>
  </goal>
 </theory>
-<theory name="Function_elim_valid_strn_len_safety" sum="1902057f7097b861b023235c405cabec">
- <goal name="WP_parameter elim_valid_strn_len" expl="Function elim_valid_strn_len, safety">
- <proof prover="1"><result status="valid" time="1.06" steps="2836"/></proof>
+<theory name="Function_elim_valid_strn_len_safety" sum="1902057f7097b861b023235c405cabec" expanded="true">
+ <goal name="WP_parameter elim_valid_strn_len" expl="Function elim_valid_strn_len, safety" expanded="true">
+ <proof prover="1"><result status="valid" time="0.98" steps="2836"/></proof>
  </goal>
 </theory>
-<theory name="Function_elim_valid_strn_len_behaviors" sum="25f852e245d177ee64df5f9039ecef8b">
- <goal name="WP_parameter elim_valid_strn_len_ensures_default" expl="Function elim_valid_strn_len, default behavior">
- <transf name="split_goal_wp">
+<theory name="Function_elim_valid_strn_len_behaviors" sum="25f852e245d177ee64df5f9039ecef8b" expanded="true">
+ <goal name="WP_parameter elim_valid_strn_len_ensures_default" expl="Function elim_valid_strn_len, default behavior" expanded="true">
+ <transf name="split_goal_wp" expanded="true">
   <goal name="WP_parameter elim_valid_strn_len_ensures_default.1" expl="loop invariant init">
-  <proof prover="1"><result status="valid" time="0.03" steps="298"/></proof>
+  <proof prover="1"><result status="valid" time="0.05" steps="298"/></proof>
   </goal>
   <goal name="WP_parameter elim_valid_strn_len_ensures_default.2" expl="Function elim_valid_strn_len, default behavior">
   <proof prover="1"><result status="valid" time="0.01" steps="30"/></proof>
@@ -71,933 +71,933 @@
   <proof prover="1"><result status="valid" time="0.07" steps="596"/></proof>
   </goal>
   <goal name="WP_parameter elim_valid_strn_len_ensures_default.5" expl="Assertion in line 155">
-  <proof prover="1"><result status="valid" time="1.34" steps="4135"/></proof>
+  <proof prover="1"><result status="valid" time="1.13" steps="4135"/></proof>
   </goal>
   <goal name="WP_parameter elim_valid_strn_len_ensures_default.6" expl="loop invariant preservation">
-  <proof prover="1"><result status="valid" time="0.39" steps="2671"/></proof>
+  <proof prover="1"><result status="valid" time="0.36" steps="2671"/></proof>
   </goal>
  </transf>
  </goal>
 </theory>
-<theory name="Function_valid_strn_len_safety" sum="ae21c8d50bbb07a4011dbf960d745fb7">
- <goal name="WP_parameter valid_strn_len" expl="Function valid_strn_len, safety">
- <proof prover="1"><result status="valid" time="0.00" steps="10"/></proof>
+<theory name="Function_valid_strn_len_safety" sum="ae21c8d50bbb07a4011dbf960d745fb7" expanded="true">
+ <goal name="WP_parameter valid_strn_len" expl="Function valid_strn_len, safety" expanded="true">
+ <proof prover="1"><result status="valid" time="0.01" steps="10"/></proof>
  </goal>
 </theory>
-<theory name="Function_valid_strn_len_behaviors" sum="241d169ffc47355b246796f3e2f9add6">
- <goal name="WP_parameter valid_strn_len_ensures_default" expl="Function valid_strn_len, default behavior">
+<theory name="Function_valid_strn_len_behaviors" sum="241d169ffc47355b246796f3e2f9add6" expanded="true">
+ <goal name="WP_parameter valid_strn_len_ensures_default" expl="Function valid_strn_len, default behavior" expanded="true">
  <proof prover="1"><result status="valid" time="0.02" steps="126"/></proof>
  </goal>
 </theory>
-<theory name="Function_intro_valid_strn_len_safety" sum="87c4fd42696cc1ba812b1e444e6efa77">
- <goal name="WP_parameter intro_valid_strn_len" expl="Function intro_valid_strn_len, safety">
+<theory name="Function_intro_valid_strn_len_safety" sum="87c4fd42696cc1ba812b1e444e6efa77" expanded="true">
+ <goal name="WP_parameter intro_valid_strn_len" expl="Function intro_valid_strn_len, safety" expanded="true">
  <proof prover="1"><result status="valid" time="0.00" steps="0"/></proof>
  </goal>
 </theory>
-<theory name="Function_intro_valid_strn_len_behaviors" sum="e3f147d2f12be636677315eda5b6dcc7">
- <goal name="WP_parameter intro_valid_strn_len_ensures_default" expl="Function intro_valid_strn_len, default behavior">
- <proof prover="1"><result status="valid" time="0.04" steps="332"/></proof>
+<theory name="Function_intro_valid_strn_len_behaviors" sum="e3f147d2f12be636677315eda5b6dcc7" expanded="true">
+ <goal name="WP_parameter intro_valid_strn_len_ensures_default" expl="Function intro_valid_strn_len, default behavior" expanded="true">
+ <proof prover="1"><result status="valid" time="0.03" steps="332"/></proof>
  </goal>
 </theory>
-<theory name="Function_valid_strn_shift1_safety" sum="03630789a130ffa57b3c4bf18bc7d6f5">
- <goal name="WP_parameter valid_strn_shift1" expl="Function valid_strn_shift1, safety">
+<theory name="Function_valid_strn_shift1_safety" sum="03630789a130ffa57b3c4bf18bc7d6f5" expanded="true">
+ <goal name="WP_parameter valid_strn_shift1" expl="Function valid_strn_shift1, safety" expanded="true">
  <proof prover="0"><result status="valid" time="0.12"/></proof>
  </goal>
 </theory>
-<theory name="Function_valid_strn_shift1_behaviors" sum="b165bce53049f092619e024ae4dcdf8c">
- <goal name="WP_parameter valid_strn_shift1_ensures_default" expl="Function valid_strn_shift1, default behavior">
- <proof prover="1"><result status="valid" time="0.08" steps="474"/></proof>
+<theory name="Function_valid_strn_shift1_behaviors" sum="b165bce53049f092619e024ae4dcdf8c" expanded="true">
+ <goal name="WP_parameter valid_strn_shift1_ensures_default" expl="Function valid_strn_shift1, default behavior" expanded="true">
+ <proof prover="1"><result status="valid" time="0.04" steps="474"/></proof>
  </goal>
 </theory>
-<theory name="Function_strnlen_range_safety" sum="79c8d00bd79fd5ab86f56b79e405e4fa">
- <goal name="WP_parameter strnlen_range" expl="Function strnlen_range, safety">
+<theory name="Function_strnlen_range_safety" sum="79c8d00bd79fd5ab86f56b79e405e4fa" expanded="true">
+ <goal name="WP_parameter strnlen_range" expl="Function strnlen_range, safety" expanded="true">
  <proof prover="1"><result status="valid" time="0.01" steps="0"/></proof>
  </goal>
 </theory>
-<theory name="Function_strnlen_range_behaviors" sum="35a72977f2fb37a0e9b4277ea0f4c865">
- <goal name="WP_parameter strnlen_range_ensures_default" expl="Function strnlen_range, default behavior">
- <proof prover="1"><result status="valid" time="0.03" steps="63"/></proof>
+<theory name="Function_strnlen_range_behaviors" sum="35a72977f2fb37a0e9b4277ea0f4c865" expanded="true">
+ <goal name="WP_parameter strnlen_range_ensures_default" expl="Function strnlen_range, default behavior" expanded="true">
+ <proof prover="1"><result status="valid" time="0.01" steps="63"/></proof>
  </goal>
 </theory>
-<theory name="Function_valid_str_to_valid_strn_safety" sum="4eb8fd3053a12b391887b51b1b466ef3">
- <goal name="WP_parameter valid_str_to_valid_strn" expl="Function valid_str_to_valid_strn, safety">
- <proof prover="1"><result status="valid" time="0.01" steps="0"/></proof>
+<theory name="Function_valid_str_to_valid_strn_safety" sum="4eb8fd3053a12b391887b51b1b466ef3" expanded="true">
+ <goal name="WP_parameter valid_str_to_valid_strn" expl="Function valid_str_to_valid_strn, safety" expanded="true">
+ <proof prover="1"><result status="valid" time="0.00" steps="0"/></proof>
  </goal>
 </theory>
-<theory name="Function_valid_str_to_valid_strn_behaviors" sum="30effd04b0bb7e4a368b5131dc19b588">
- <goal name="WP_parameter valid_str_to_valid_strn_ensures_default" expl="Function valid_str_to_valid_strn, default behavior">
- <proof prover="1"><result status="valid" time="0.03" steps="110"/></proof>
+<theory name="Function_valid_str_to_valid_strn_behaviors" sum="30effd04b0bb7e4a368b5131dc19b588" expanded="true">
+ <goal name="WP_parameter valid_str_to_valid_strn_ensures_default" expl="Function valid_str_to_valid_strn, default behavior" expanded="true">
+ <proof prover="1"><result status="valid" time="0.02" steps="110"/></proof>
  </goal>
 </theory>
-<theory name="Function_strnlen_min_len_safety" sum="c02756ec2578b7b859b5cfab639ab3c9">
- <goal name="WP_parameter strnlen_min_len" expl="Function strnlen_min_len, safety">
+<theory name="Function_strnlen_min_len_safety" sum="c02756ec2578b7b859b5cfab639ab3c9" expanded="true">
+ <goal name="WP_parameter strnlen_min_len" expl="Function strnlen_min_len, safety" expanded="true">
  <proof prover="1"><result status="valid" time="0.01" steps="0"/></proof>
  </goal>
 </theory>
-<theory name="Function_strnlen_min_len_behaviors" sum="ee459be24ef9ad370bc90d9e7392c225">
- <goal name="WP_parameter strnlen_min_len_ensures_default" expl="Function strnlen_min_len, default behavior">
- <proof prover="1"><result status="valid" time="0.08" steps="351"/></proof>
+<theory name="Function_strnlen_min_len_behaviors" sum="ee459be24ef9ad370bc90d9e7392c225" expanded="true">
+ <goal name="WP_parameter strnlen_min_len_ensures_default" expl="Function strnlen_min_len, default behavior" expanded="true">
+ <proof prover="1"><result status="valid" time="0.04" steps="351"/></proof>
  </goal>
 </theory>
-<theory name="Function_strnlen_at_cnt_safety" sum="8a62ff9f956c3f87fa4a6417a84c783c">
- <goal name="WP_parameter strnlen_at_cnt" expl="Function strnlen_at_cnt, safety">
+<theory name="Function_strnlen_at_cnt_safety" sum="8a62ff9f956c3f87fa4a6417a84c783c" expanded="true">
+ <goal name="WP_parameter strnlen_at_cnt" expl="Function strnlen_at_cnt, safety" expanded="true">
  <proof prover="1"><result status="valid" time="0.00" steps="0"/></proof>
  </goal>
 </theory>
-<theory name="Function_strnlen_at_cnt_behaviors" sum="c8e33fb202a5fcf004de0200844bec09">
- <goal name="WP_parameter strnlen_at_cnt_ensures_default" expl="Function strnlen_at_cnt, default behavior">
+<theory name="Function_strnlen_at_cnt_behaviors" sum="c8e33fb202a5fcf004de0200844bec09" expanded="true">
+ <goal name="WP_parameter strnlen_at_cnt_ensures_default" expl="Function strnlen_at_cnt, default behavior" expanded="true">
  <proof prover="1"><result status="valid" time="0.01" steps="34"/></proof>
  </goal>
 </theory>
-<theory name="Axiomatic_Padding" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Axiomatic_Padding" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int32_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int32_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int32_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int32_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int64_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int64_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int64_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int64_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int64_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int64_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int64_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int64_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int8_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int8_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int8_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int8_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int8_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int8_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int8_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int8_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int8_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int8_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int8_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int8_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint16_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint16_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint16_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint16_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint16_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint16_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint16_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint16_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint16_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint16_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint16_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint16_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint16_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint16_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint16_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint16_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint32_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint32_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint32_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint32_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint32_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint32_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint32_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint32_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint32_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint32_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint32_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint32_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint32_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint32_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint32_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint32_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint32_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint32_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint32_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint32_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint64_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint64_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint64_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint64_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint64_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint64_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint64_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint64_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint64_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint64_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint64_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint64_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint64_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint64_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint64_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint64_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint64_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint64_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint64_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint64_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint64_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint64_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint64_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint64_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint8_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint8_of_Int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint8_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint8_of_Bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint8_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint8_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint8_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint8_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint8_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint8_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint8_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint8_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint8_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint8_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint8_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint8_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint8_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint8_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint8_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint8_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint8_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint8_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint8_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint8_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint8_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint8_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint8_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint8_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int16_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int16_of_Int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int16_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int16_of_Bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int16_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int16_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int16_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int16_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int32_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int32_of_Int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int32_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int32_of_Bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int16_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int16_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int16_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int16_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int32_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int32_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int32_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int32_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int64_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int64_of_Int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int64_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int64_of_Bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int16_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int16_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int16_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int16_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int32_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int32_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int32_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int32_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int64_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int64_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int64_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int64_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int8_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int8_of_Uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int8_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int8_of_Bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int16_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int16_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int16_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int16_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int32_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int32_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int32_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int32_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int64_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int64_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int64_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int64_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int8_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int8_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int8_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int8_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint16_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint16_of_Uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint16_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint16_of_Bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int16_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int16_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int16_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int16_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int32_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int32_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int32_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int32_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int64_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int64_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int64_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int64_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int8_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int8_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int8_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int8_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint16_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint16_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint16_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint16_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint32_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint32_of_Uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint32_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint32_of_Bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int16_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int16_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int16_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int16_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int32_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int32_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int32_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int32_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int64_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int64_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int64_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int64_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Int8_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Int8_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_int8_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_int8_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint16_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint16_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint16_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint16_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint32_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint32_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint32_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint32_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Uint64_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Uint64_of_Uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Bit_uint64_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Bit_uint64_of_Bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Globals_simple" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Globals_simple" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Root_voidP" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Root_voidP" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Root_voidP_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Root_voidP_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Root_voidP_unsafe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Root_voidP_unsafe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Axiomatic_Strlen" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Axiomatic_Strlen" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Axiomatic_LF__Axiomatic__valid_str_len" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Axiomatic_LF__Axiomatic__valid_str_len" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Axiomatic_LF__Axiomatic__valid_str_shift" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Axiomatic_LF__Axiomatic__valid_str_shift" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Axiomatic_Strnlen" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Axiomatic_Strnlen" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Axiomatic_LF__Axiomatic__valid_strn_len" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Axiomatic_LF__Axiomatic__valid_strn_len" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Axiomatic_LF__Axiomatic__valid_strn_shift1" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Axiomatic_LF__Axiomatic__valid_strn_shift1" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Axiomatic_LF__Axiomatic__strnlen_range" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Axiomatic_LF__Axiomatic__strnlen_range" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Axiomatic_LF__Axiomatic__valid_str_to_valid_strn" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Axiomatic_LF__Axiomatic__valid_str_to_valid_strn" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Axiomatic_LF__Axiomatic__strnlen_min_len" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Axiomatic_LF__Axiomatic__strnlen_min_len" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Axiomatic_LF__Axiomatic__strnlen_at_cnt" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Axiomatic_LF__Axiomatic__strnlen_at_cnt" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int32_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int32_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Exceptions" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Exceptions" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int32_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int32_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_elim_valid_strn_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_elim_valid_strn_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_elim_valid_strn" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_elim_valid_strn" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_elim_valid_strn_len_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_elim_valid_strn_len_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_elim_valid_strn_len" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_elim_valid_strn_len" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_intro_valid_strn_len_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_intro_valid_strn_len_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_intro_valid_strn_len" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_intro_valid_strn_len" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Logic_type_padding" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Logic_type_padding" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Struct_voidP" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Struct_voidP" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Struct_charP" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Struct_charP" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Struct_charP_unsafe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Struct_charP_unsafe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Struct_charP_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Struct_charP_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Struct_voidP_unsafe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Struct_voidP_unsafe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Struct_voidP_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Struct_voidP_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint64_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint64_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint64_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint64_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint64_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint64_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint64_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint64_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint32_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint32_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint32_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint32_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint32_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint32_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint32_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint32_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint16_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint16_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint16_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint16_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint16_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint16_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint16_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint16_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int8_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int8_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int8_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int8_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int8_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int8_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int8_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int8_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int64_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int64_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int64_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int64_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int64_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int64_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int64_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int64_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int32_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int32_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int32_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int32_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int32_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int32_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int32_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int32_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int16_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int16_of_Safe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int16_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int16_of_Unsafe_bit_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int16_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int16_of_Safe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int16_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int16_of_Unsafe_uint8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint32_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint32_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint32_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint32_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint32_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint32_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint32_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint32_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint16_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint16_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint16_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint16_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint16_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint16_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint16_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint16_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int8_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int8_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int8_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int8_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int8_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int8_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int8_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int8_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int64_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int64_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int64_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int64_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int64_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int64_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int64_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int64_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int32_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int32_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int32_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int32_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int32_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int32_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int32_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int32_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int16_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int16_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int16_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int16_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int16_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int16_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int16_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int16_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint16_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint16_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint16_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint16_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint16_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint16_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint16_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint16_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int8_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int8_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int8_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int8_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int8_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int8_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int8_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int8_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int64_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int64_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int64_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int64_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int64_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int64_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int64_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int64_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int32_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int32_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int32_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int32_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int32_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int32_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int32_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int32_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int16_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int16_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int16_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int16_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int16_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int16_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int16_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int16_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int8_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int8_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int8_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int8_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int8_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int8_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int8_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int8_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int64_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int64_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int64_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int64_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int64_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int64_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int64_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int64_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int32_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int32_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int32_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int32_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int32_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int32_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int32_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int32_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int16_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int16_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int16_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int16_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int16_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int16_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int16_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int16_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int64_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int64_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int64_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int64_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int64_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int64_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int64_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int64_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int32_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int32_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int32_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int32_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int16_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int16_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int16_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int16_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int16_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int16_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int16_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int16_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int32_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int32_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int32_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int32_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int32_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int32_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int32_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int32_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int16_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int16_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int16_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int16_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int16_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int16_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int16_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int16_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int16_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int16_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int16_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int16_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int16_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int16_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int16_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int16_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint8_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint8_of_Safe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint8_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint8_of_Unsafe_bit_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint8_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint8_of_Safe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint8_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint8_of_Unsafe_uint64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint8_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint8_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint8_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint8_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint8_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint8_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint8_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint8_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint8_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint8_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint8_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint8_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint8_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint8_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint8_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint8_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint8_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint8_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint8_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint8_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint8_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint8_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint8_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint8_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint8_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint8_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint8_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint8_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint8_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint8_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint8_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint8_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint8_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint8_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint8_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint8_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint8_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint8_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint8_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint8_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint8_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint8_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint8_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint8_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint8_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint8_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint8_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint8_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint64_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint64_of_Safe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint64_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint64_of_Unsafe_bit_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint64_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint64_of_Safe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint64_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint64_of_Unsafe_uint32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint64_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint64_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint64_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint64_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint64_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint64_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint64_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint64_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint64_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint64_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint64_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint64_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint64_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint64_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint64_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint64_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint64_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint64_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint64_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint64_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint64_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint64_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint64_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint64_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint64_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint64_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint64_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint64_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint64_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint64_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint64_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint64_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint64_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint64_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint64_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint64_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint64_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint64_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint64_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint64_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint32_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint32_of_Safe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint32_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint32_of_Unsafe_bit_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint32_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint32_of_Safe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint32_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint32_of_Unsafe_uint16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint32_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint32_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint32_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint32_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint32_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint32_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint32_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint32_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint32_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint32_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint32_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint32_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint32_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint32_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint32_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint32_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint32_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint32_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint32_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint32_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint32_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint32_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint32_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint32_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint32_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint32_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint32_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint32_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint32_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint32_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint32_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint32_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint16_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint16_of_Safe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint16_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint16_of_Unsafe_bit_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint16_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint16_of_Safe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint16_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint16_of_Unsafe_int8" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint16_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint16_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint16_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint16_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint16_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint16_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint16_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint16_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint16_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint16_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint16_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint16_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint16_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint16_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint16_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint16_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_uint16_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_uint16_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_uint16_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_uint16_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_uint16_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_uint16_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_uint16_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_uint16_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int8_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int8_of_Safe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int8_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int8_of_Unsafe_bit_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int8_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int8_of_Safe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int8_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int8_of_Unsafe_int64" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int8_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int8_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int8_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int8_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int8_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int8_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int8_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int8_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int8_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int8_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int8_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int8_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int8_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int8_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int8_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int8_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int64_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int64_of_Safe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int64_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int64_of_Unsafe_bit_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int64_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int64_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int64_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int64_of_Unsafe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int64_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int64_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int64_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int64_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int64_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int64_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int64_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int64_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_bit_int32_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_bit_int32_of_Safe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_bit_int32_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_bit_int32_of_Unsafe_bit_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Safe_int32_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Safe_int32_of_Safe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Unsafe_int32_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Unsafe_int32_of_Unsafe_int16" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_elim_valid_str" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_elim_valid_str" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_elim_valid_str_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_elim_valid_str_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_elim_valid_str_len" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_elim_valid_str_len" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_elim_valid_str_len_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_elim_valid_str_len_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_valid_str_len" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_valid_str_len" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_valid_str_len_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_valid_str_len_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_intro_valid_str_len" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_intro_valid_str_len" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_intro_valid_str_len_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_intro_valid_str_len_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_valid_str_shift" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_valid_str_shift" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_valid_str_shift_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_valid_str_shift_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_elim_strlen" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_elim_strlen" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_elim_strlen_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_elim_strlen_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_strlen_0" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_strlen_0" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_strlen_0_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_strlen_0_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_valid_strn_len" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_valid_strn_len" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_valid_strn_len_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_valid_strn_len_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_valid_strn_shift1" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_valid_strn_shift1" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_valid_strn_shift1_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_valid_strn_shift1_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_strnlen_range" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_strnlen_range" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_strnlen_range_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_strnlen_range_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_valid_str_to_valid_strn" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_valid_str_to_valid_strn" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_valid_str_to_valid_strn_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_valid_str_to_valid_strn_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_strnlen_min_len" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_strnlen_min_len" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_strnlen_min_len_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_strnlen_min_len_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_strnlen_at_cnt" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_strnlen_at_cnt" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_strnlen_at_cnt_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_strnlen_at_cnt_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_strnlen_0" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_strnlen_0" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
-<theory name="Function_strnlen_0_safe" sum="d41d8cd98f00b204e9800998ecf8427e">
+<theory name="Function_strnlen_0_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
 </file>
 </why3session>

From 38ab80d0e82e9b545c977ec4d1fa34a75a7a3a07 Mon Sep 17 00:00:00 2001
From: Igor Tarakanov <igortarakanov@mail.ru>
Date: Wed, 21 Aug 2019 19:37:59 +0300
Subject: [PATCH 14/14] [+] lemma functions

---
 .../whole_program/why3session.xml             | 91 ++++++++++++------
 src/match_string.h                            | 94 +++++++++++++++++++
 2 files changed, 156 insertions(+), 29 deletions(-)

diff --git a/sessions/match_string.av/whole_program/why3session.xml b/sessions/match_string.av/whole_program/why3session.xml
index 13e45d9..4f30d7b 100644
--- a/sessions/match_string.av/whole_program/why3session.xml
+++ b/sessions/match_string.av/whole_program/why3session.xml
@@ -2,42 +2,51 @@
 <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
 "http://why3.lri.fr/why3session.dtd">
 <why3session shape_version="4">
-<prover id="0" name="CVC4" version="1.6" alternative="noBV" timelimit="2" steplimit="0" memlimit="2000"/>
-<prover id="1" name="Alt-Ergo" version="2.3.0" timelimit="2" steplimit="0" memlimit="2000"/>
-<file name="../whole_program.mlw" expanded="true">
-<theory name="Function_match_string_0_safety" sum="1f8cc5c24984d52512517b21ae5a2b91" expanded="true">
+<prover id="0" name="CVC4" version="1.6" timelimit="5" steplimit="0" memlimit="1000"/>
+<file name="../match_string_c.mlw" expanded="true">
+<theory name="Function_match_string_0_safety" sum="3b002289067cc2e04884e4456f785076" expanded="true">
  <goal name="WP_parameter match_string_0" expl="Function match_string, safety" expanded="true">
- <proof prover="0"><result status="valid" time="0.14"/></proof>
+ <proof prover="0"><result status="valid" time="0.94" steps="224269"/></proof>
  </goal>
 </theory>
-<theory name="Function_match_string_0_behaviors" sum="2f161d4328733cc19f2abd76a447ae37" expanded="true">
- <goal name="WP_parameter match_string_ensures_default" expl="Function match_string, default behavior" expanded="true">
- <transf name="split_goal_wp" expanded="true">
+<theory name="Function_match_string_0_behaviors" sum="e25eb01a76d367c7275a2b285cb2e34b" expanded="true">
+ <goal name="WP_parameter match_string_ensures_default" expl="Function match_string, default behavior">
+ <transf name="split_goal_wp">
   <goal name="WP_parameter match_string_ensures_default.1" expl="Behavior disjointness check">
-  <proof prover="1"><result status="valid" time="0.04" steps="151"/></proof>
+  <proof prover="0"><result status="valid" time="0.19" steps="40246"/></proof>
   </goal>
   <goal name="WP_parameter match_string_ensures_default.2" expl="Behavior completeness check">
-  <proof prover="1"><result status="valid" time="0.04" steps="149"/></proof>
+  <proof prover="0"><result status="valid" time="0.19" steps="40250"/></proof>
   </goal>
   <goal name="WP_parameter match_string_ensures_default.3" expl="loop invariant init">
-  <proof prover="0"><result status="valid" time="0.19"/></proof>
+  <proof prover="0"><result status="valid" time="0.43" steps="113464"/></proof>
   </goal>
   <goal name="WP_parameter match_string_ensures_default.4" expl="Assertion in line 21">
-  <proof prover="1"><result status="valid" time="0.11" steps="912"/></proof>
+  <proof prover="0"><result status="valid" time="0.39" steps="68706"/></proof>
   </goal>
   <goal name="WP_parameter match_string_ensures_default.5" expl="Assertion in line 25">
-  <proof prover="1"><result status="valid" time="1.34" steps="9983"/></proof>
+  <proof prover="0"><result status="valid" time="0.31" steps="58709"/></proof>
   </goal>
   <goal name="WP_parameter match_string_ensures_default.6" expl="loop invariant preservation">
-  <proof prover="1"><result status="valid" time="0.31" steps="2523"/></proof>
+  <proof prover="0"><result status="valid" time="0.70" steps="117333"/></proof>
   </goal>
  </transf>
  </goal>
- <goal name="WP_parameter match_string_ensures_exists" expl="Function match_string, behavior exists" expanded="true">
- <proof prover="1"><result status="valid" time="1.44" steps="6473"/></proof>
+ <goal name="WP_parameter match_string_ensures_exists" expl="Function match_string, behavior exists">
+ <transf name="split_goal_wp">
+  <goal name="WP_parameter match_string_ensures_exists.1" expl="Postcondition (Ensures clause)">
+  <proof prover="0"><result status="valid" time="0.22" steps="57428"/></proof>
+  </goal>
+  <goal name="WP_parameter match_string_ensures_exists.2" expl="Postcondition (Ensures clause)">
+  <proof prover="0"><result status="valid" time="1.26" steps="206471"/></proof>
+  </goal>
+  <goal name="WP_parameter match_string_ensures_exists.3" expl="Postcondition (Ensures clause)">
+  <proof prover="0"><result status="valid" time="0.17" steps="44607"/></proof>
+  </goal>
+ </transf>
  </goal>
- <goal name="WP_parameter match_string_ensures_missing" expl="Function match_string, behavior missing" expanded="true">
- <proof prover="1"><result status="valid" time="0.32" steps="2393"/></proof>
+ <goal name="WP_parameter match_string_ensures_missing" expl="Function match_string, behavior missing">
+ <proof prover="0"><result status="valid" time="1.25" steps="229496"/></proof>
  </goal>
 </theory>
 <theory name="Axiomatic_Padding" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
@@ -366,17 +375,17 @@
  <goal name="At_end" expl="Lemma at_end" expanded="true">
  </goal>
 </theory>
-<theory name="Axiomatic_MatchString" sum="d8754ca9cc049dbbfef27b01ad97e44c" expanded="true">
- <goal name="Real_len_not_nulls" expl="Lemma real_len_not_nulls" expanded="true">
- </goal>
- <goal name="Real_len_terminate" expl="Lemma real_len_terminate" expanded="true">
- </goal>
- <goal name="Real_len_maximum" expl="Lemma real_len_maximum" expanded="true">
- </goal>
- <goal name="Match_string_definition" expl="Lemma match_string_definition" expanded="true">
- </goal>
- <goal name="Strcmp_corollary" expl="Lemma strcmp_corollary" expanded="true">
- </goal>
+<theory name="Axiomatic_Strchrnul" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Axiomatic_LF__Axiomatic__real_len_iteration_1" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Axiomatic_LF__Axiomatic__real_len_iteration_2" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Axiomatic_LF__Axiomatic__real_len_iteration_4" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Axiomatic_LF__Axiomatic__real_len_iteration_5" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Axiomatic_LF__Axiomatic__real_len_iteration_6" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
 <theory name="Safe_uint64_of_Safe_int32" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
@@ -878,6 +887,30 @@
 </theory>
 <theory name="Function_strlen_0_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
+<theory name="Function_real_len_iteration_1" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_real_len_iteration_1_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_real_len_iteration_2" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_real_len_iteration_2_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_real_len_iteration_4" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_real_len_iteration_4_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_srrcmp" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_srrcmp_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_real_len_iteration_5" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_real_len_iteration_5_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_real_len_iteration_6" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
+<theory name="Function_real_len_iteration_6_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
+</theory>
 <theory name="Function_match_string_0" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
 </theory>
 <theory name="Function_match_string_0_safe" sum="d41d8cd98f00b204e9800998ecf8427e" expanded="true">
diff --git a/src/match_string.h b/src/match_string.h
index d021c01..9783cbe 100644
--- a/src/match_string.h
+++ b/src/match_string.h
@@ -20,6 +20,8 @@
  * be overflowed
  */
 
+#ifndef LEMMA_FUNCTIONS
+
 /*@ axiomatic MatchString {
 
     logic size_t match_string(char **a, size_t n, char *s) =
@@ -65,6 +67,98 @@
     }
  */
 
+#else
+
+/*@ axiomatic Strchrnul {
+    logic size_t match_string(char **a, size_t n, char *s) =
+       n == 0 ?
+          0
+       :
+          (strcmp(a[0], s) == 0 ? 0 : match_string(a + 1, (size_t)(n - 1), s));
+
+    logic size_t real_len(char **a, size_t n) =
+       ((a[0] == NULL) || (n == 0)) ?
+          0
+       :
+          (size_t)(1 + real_len(a + 1, (size_t)(n - 1)));
+    }
+ */
+
+/*@ ghost
+  @ /@ lemma
+  @  @ requires  0 <= i < real_len(a, len);
+  @  @ decreases i;
+  @  @ ensures a[i] != NULL;
+  @  @/
+  @ void real_len_iteration_1(char **a, size_t i, size_t len)
+  @ {
+  @   if (a[i] != NULL && len > 0)
+  @     real_len_iteration_1(a + 1, i + 1, len - 1);
+  @ }
+  @*/
+
+/*@ ghost
+  @ /@ lemma
+  @  @ requires  i == real_len(a, len);
+  @  @ decreases i;
+  @  @ ensures a[i] == NULL || i == len;
+  @  @/
+  @ void real_len_iteration_2(char **a, size_t i, size_t len)
+  @ {
+  @   if (a[i] != NULL && len > 0)
+  @     real_len_iteration_2(a + 1, i + 1, len - 1);
+  @ }
+  @*/
+
+/*@ ghost
+  @ /@ lemma
+  @  @ requires (\forall size_t i; i < len ==> a[i] != NULL);
+  @  @ decreases len;
+  @  @ ensures real_len(a, len) == len;
+  @  @/
+  @ void real_len_iteration_4(char** a, size_t len)
+  @ {
+  @   if (*a != NULL && len > 0)
+  @     real_len_iteration_4(a + 1, len - 1);
+  @ }
+  @*/
+
+/*@ ghost
+  @ /@ lemma
+  @  @ requires 0 <= i < real_len(array, len) &&
+  @       (\forall size_t j; 0 <= j < i ==> strcmp(array[j], string) != 0) &&
+  @       strcmp(array[i], string) == 0;
+  @  @ decreases len;
+  @  @ ensures match_string(array, real_len(array, len), string) == i;
+  @  @/
+  @ void real_len_iteration_5(char** array, char* string, size_t i, size_t len)
+  @ {
+  @   if (srrcmp(array[i], string) != 0 && len > 0)
+  @     real_len_iteration_5(array, string, i + 1, len - 1);
+  @ }
+  @*/
+
+/*@ ghost
+  @ /@ lemma
+  @  @ requires valid_str(string1) &&
+  @       valid_str(string2) &&
+  @       strcmp(string1, string2) != 0;
+  @  @ decreases strlen(string1);
+  @  @ ensures (\exists size_t i;
+  @          0 <= i <= \min(strlen(string1), strlen(string2)) &&
+  @          string1[i] != string2[i]);
+  @  @/
+  @ void real_len_iteration_6(char* string1, char* string2)
+  @ {
+  @   if (*string1 != *string2 && *string1 != '\0' && *string2 != '\0')
+  @     real_len_iteration_6(string1 + 1, string2 + 1);
+  @ }
+  @*/
+
+
+
+#endif /* LEMMA_FUNCTIONS */
+
 /*@ requires n <= INT_MAX;
     requires (real_len(array, n) == n) ==> \valid(array+(0..n-1));
     requires (real_len(array, n) < n) ==> \valid(array+(0..real_len(array, n)));