a=aV2V3iantha-a-alengthV0c1a-V3V4V0anthV3V1a<V3V4LalengthV1Ia<V3alength1V2Aa<=c0V3FAa>alengthV1c0Ia>alengthV0c0Aa=alength1V2a+alengthV0alengthV1E
VC for t
a=aaseqV0V1iantha-a-alengthafrontV0c1a-V1V2afrontV0anthV1arearV0a<V1V2LalengtharearV0Ia<V1alength1aseqV0Aa<=c0V1FAa>alengtharearV0c0Ia>alengthafrontV0c0Aa=alength1aseqV0a+alengthafrontV0alengtharearV0FaseqV0arearV0afrontV0
a=aseqV6aemptyItAtIa=aseqV6V3Aa=arearV6V4Aa=afrontV6V5Aa=V9afrontV6Aa=V8arearV6Aa=V7aseqV6FAa=aV3V10iantha-a-alengthV5c1a-V10V11V5anthV10V4a<V10V11LalengthV4Ia<V10alength1V3Aa<=c0V10FAa>alengthV4c0Ia>alengthV5c0Aa=alength1V3a+alengthV5alengthV4LaNilLaNilLaempty
VC for create
CCa=aseqV12asnocaseqV4V3Ia=V15afrontV12Aa=V14arearV12Aa=V13aseqV12Aa=aV13V16iantha-a-alengthV15c1a-V16V17V15anthV16V14a<V16V17LalengthV14Ia<V16alength1V13Aa<=c0V16FAa>alengthV14c0Ia>alengthV15c0Aa=alength1V13a+alengthV15alengthV14Ia=V13V11Aa=V14V9Aa=V15V10FIa=aV11V18aV8V18Ia<V18alength1V8Aa<=c0V18FAa=aV11alength1V8V3Aa=alength1V11a+c1alength1V8LasnocV8V3Ia=V8aseqV4Aa=V9aConsV3aNilAa=V10afrontV4FaNila=aseqV23asnocaseqV4V3Ia=V26afrontV23Aa=V25arearV23Aa=V24aseqV23Aa=aV24V27iantha-a-alengthV26c1a-V27V28V26anthV27V25a<V27V28LalengthV25Ia<V27alength1V24Aa<=c0V27FAa>alengthV25c0Ia>alengthV26c0Aa=alength1V24a+alengthV26alengthV25Ia=V24V22Aa=V25V20Aa=V26V21FIa=aV22V29aV19V29Ia<V29alength1V19Aa<=c0V29FAa=aV22alength1V19V3Aa=alength1V22a+c1alength1V19LasnocV19V3Ia=V19aseqV4Aa=V20arearV4Aa=V21aConsV3afrontV4FwafrontV4aNila=aseqV34asnocaseqV4V3Ia=V37afrontV34Aa=V36arearV34Aa=V35aseqV34Aa=aV35V38iantha-a-alengthV37c1a-V38V39V37anthV38V36a<V38V39LalengthV36Ia<V38alength1V35Aa<=c0V38FAa>alengthV36c0Ia>alengthV37c0Aa=alength1
VC for push
a=anthV3a++V4V5iantha-V3alengthV4V5anthV3V4a<V3alengthV4ICtaNila=anthV7a++V6V5iantha-V7alengthV6V5anthV7V6a<V7alengthV6La-V3c1ONa>V3c0aConswVV4ACtaNila<V9a+alengthV8alengthV5Aa<=c0V9ACfaNila=V10V8aConswVV4La-V3c1Ia>V3c0aConswVV4Ia<V3a+alengthV4alengthV5Aa<=c0V3F
VC for nth_append
a=anthV3a++V4V5iantha-V3alengthV4V5anthV3V4a<V3alengthV4Ia<V3a+alengthV4alengthV5Aa<=c0V3F
a=anthV6V7antha-a-alengthV7c1V6areverseV7ICfaNila=anthV9V8antha-a-alengthV8c1V9areverseV8La-V6c1ONa>V6c0aConswVV7ACfaNila<V11alengthV10Aa<=c0V11ACfaNila=V12V10aConswVV7La-V6c1Ia>V6c0aConswVV7Ia<V6alengthV7Aa<=c0V6F
VC for nth_rev
a=anthV6V7antha-a-alengthV7c1V6areverseV7Ia<V6alengthV7Aa<=c0V6F
a=aq_frontafrontaqAa=aq_reararearaqAa=aq_seqaseqaq
a=arearaqaNil
a=aseqaqaemptyAt
exceptional postcondition
a=arearaqaConsaxaNil
a<=c1alength1aseqaqAa<=c0c1
precondition
a=alength1aaseqaqc1a+alengthaNilalengthareverseafrontaq
type invariant
a>alengthaNilc0
a>alengthareverseafrontaqc0
a>alengthareverseafrontaqc0Ia>alengthaNilc0
a<=c0ai
a<aialength1aaseqaqc1
a=aaaseqaqc1aiiantha-a-alengthaNilc1a-aiV8aNilanthaiareverseafrontaqa<aiV8Lalengthareverseafrontaq
a=aNilafrontaq1Aa=areverseafrontaqarearaq1Aa=aaseqaqc1aseqaq1
Na=aseqaqaempty
postcondition
a=axaaseqaqc0
a=arearaqaConsaaseqaqc0aNil
a=aseqaq1aaseqaqc1
a=arearaqaConsaxaConsawaw1
a=alength1aaseqaqc1a+alengthafrontaqalengthaConsawaw1
a>alengthafrontaqc0
a>alengthaConsawaw1c0
a>alengthaConsawaw1c0Ia>alengthafrontaqc0
a=aaaseqaqc1aiiantha-a-alengthafrontaqc1a-aiV8afrontaqanthaiaConsawaw1a<aiV8LalengthaConsawaw1
a=afrontaqafrontaq1Aa=aConsawaw1arearaq1Aa=aaseqaqc1aseqaq1
a=arearaqaConsaaseqaqc0aConsawaw1
Ca=aseqV8aemptyAtItAtaNila=aseqV16aaseqV8c1Aa=V12aaseqV8c0ANa=aseqV8aemptyIa=V19afrontV16Aa=V18arearV16Aa=V17aseqV16Aa=aV17V20iantha-a-alengthV19c1a-V20V21V19anthV20V18a<V20V21LalengthV18Ia<V20alength1V17Aa<=c0V20FAa>alengthV18c0Ia>alengthV19c0Aa=alength1V17a+alengthV19alengthV18Ia=V17aV13c1Aa=V18V14Aa=V19V15FAa<=c1alength1V13Aa<=c0c1Ia=V13aseqV8Aa=V14areverseafrontV8Aa=V15aNilFaConsVaNila=aseqV27aaseqV8c1Aa=V22aaseqV8c0ANa=aseqV8aemptyIa=V30afrontV27Aa=V29arearV27Aa=V28aseqV27Aa=aV28V31iantha-a-alengthV30c1a-V31V32V30anthV31V29a<V31V32LalengthV29Ia<V31alength1V28Aa<=c0V31FAa>alengthV29c0Ia>alengthV30c0Aa=alength1V28a+alengthV30alengthV29Ia=V28aV24c1Aa=V29V25Aa=V30V26FAa<=c1alength1V24Aa<=c0c1Ia=V24aseqV8Aa=V25V23Aa=V26afrontV8FaConsVVarearV8Ia=V11afrontV8Aa=V10arearV8Aa=V9aseqV8F
VC for pop
Ca==aseqV8aemptyaNila=V12aaseqV8c0ANa=aseqV8aemptyaConsVwarearV8Ia=V11afrontV8Aa=V10arearV8Aa=V9aseqV8F
VC for peek
fIa=aseqV8aemptyAa=V12V8Aa=aseqV12aaseqV8c1Aa=V16aaseqV8c0ItAtIa=aseqV12aaseqV8c1Aa=V16aaseqV8c0ANa=aseqV8aemptyFIa=V15afrontV12Aa=V14arearV12Aa=V13aseqV12FItAtINa=aseqV8aemptyAa=V11afrontV8Aa=V10arearV8Aa=V9aseqV8F
VC for safe_pop
fIa==aseqV8aemptyAa=V12aaseqV8c0Ia=V12aaseqV8c0ANa=aseqV8aemptyFItAtINa=aseqV8aemptyAa=V11afrontV8Aa=V10arearV8Aa=V9aseqV8F
VC for safe_peek
a=aseqV18aemptyIa=V21afrontV18Aa=V20arearV18Aa=V19aseqV18Aa=aV19V22iantha-a-alengthV21c1a-V22V23V21anthV22V20a<V22V23LalengthV20Ia<V22alength1V19Aa<=c0V22FAa>alengthV20c0Ia>alengthV21c0Aa=alength1V19a+alengthV21alengthV20Ia=V19V15Aa=V20V16Aa=V21aNilFIa=V15V12Aa=V16aNilAa=V17V14FIa=V12aemptyAa=V13arearV8Aa=V14afrontV8FIa=V11afrontV8Aa=V10arearV8Aa=V9aseqV8F
VC for clear
a==aseqV15aseqV8ItAtIa=aseqV15V12Aa=arearV15V13Aa=afrontV15V14Aa=V18afrontV15Aa=V17arearV15Aa=V16aseqV15FAa=aV12V19iantha-a-alengthV14c1a-V19V20V14anthV19V13a<V19V20LalengthV13Ia<V19alength1V12Aa<=c0V19FAa>alengthV13c0Ia>alengthV14c0Aa=alength1V12a+alengthV14alengthV13LafrontV8LarearV8LaseqV8Ia=V11afrontV8Aa=V10arearV8Aa=V9aseqV8F
VC for copy
a==aseqV8aemptyqa=V12aTrueICCa=V12aTrueaNila=V12aFalsewafrontV8aNila=V12aFalsewarearV8FIa=V11afrontV8Aa=V10arearV8Aa=V9aseqV8F
VC for is_empty
a=avV13alength1aseqV8Ia=avV13a+avV12alengtharearV8FIa=avV12a+avazeroalengthafrontV8FAa=avV16a+avV14alengthV15ICa=V16V14aNila=avV16a+avV18alengthV17Aa=avV18a+avV14c1EaConswVV15FACtaNilCfaNila=V21V19aConswVV15Ia=avV20a+avV14c1FaConswVV15FIa=V11afrontV8Aa=V10arearV8Aa=V9aseqV8F
VC for length
a=aq1_frontafrontaq1Aa=aq1_reararearaq1Aa=aq1_seqaseqaq1
a=aq2_frontafrontaq2Aa=aq2_reararearaq2Aa=aq2_seqaseqaq2
a=arearaq2aNil
a=aq1_front1afrontaq11Aa=aq1_rear1arearaq11Aa=aq1_seq1aseqaq11
a=aseqaq11aempty
a=alength1aseqaq1a+alengthafrontaq1alengtharearaq1
a>alengthafrontaq1c0
a>alengtharearaq1c0
a>alengtharearaq1c0Ia>alengthafrontaq1c0
a<aialength1aseqaq1
a=aaseqaq1aiiantha-a-alengthafrontaq1c1a-aiV8afrontaq1anthaiarearaq1a<aiV8Lalengtharearaq1
a=afrontaq1afrontaq21Aa=arearaq1arearaq21Aa=aseqaq1aseqaq21
a=aseqaq21a++aseqaq2aseqaq1
a=arearaq2aConsawaw1
a=alength1a++aseqaq2aseqaq1a+alength1aseqaq2alength1aseqaq1
a=aa++aseqaq2aseqaq1V8aaseqaq2V8Ia<V8alength1aseqaq2Aa<=c0V8F
a=aa++aseqaq2aseqaq1V9aaseqaq1a-V9alength1aseqaq2Ia<V9alength1a++aseqaq2aseqaq1Aa<=alength1aseqaq2V9F
a=alength1a++aseqaq2aseqaq1a+alengtha++afrontaq1a++areversearearaq1afrontaq2alengtharearaq2
a>alengtha++afrontaq1a++areversearearaq1afrontaq2c0
a>alengtharearaq2c0
a>alengtharearaq2c0Ia>alengtha++afrontaq1a++areversearearaq1afrontaq2c0
a<aialength1a++aseqaq2aseqaq1
a=aa++aseqaq2aseqaq1aiiantha-a-alengtha++afrontaq1a++areversearearaq1afrontaq2c1a-aiV10a++afrontaq1a++areversearearaq1afrontaq2anthaiarearaq2a<aiV10Lalengtharearaq2
a=a++afrontaq1a++areversearearaq1afrontaq2afrontaq21Aa=arearaq2arearaq21Aa=a++aseqaq2aseqaq1aseqaq21
Ca=aseqV16a++aseqV12aseqV8Aa=aseqV20aemptyIa=V19afrontV16Aa=V18arearV16Aa=V17aseqV16Aa=aV17V24iantha-a-alengthV19c1a-V24V25V19anthV24V18a<V24V25LalengthV18Ia<V24alength1V17Aa<=c0V24FAa>alengthV18c0Ia>alengthV19c0Aa=alength1V17a+alengthV19alengthV18ItAtIa=aseqV20aemptyIa=V23afrontV20Aa=V22arearV20Aa=V21aseqV20FItAtIa=V17aseqV8Aa=V18arearV8Aa=V19afrontV8FaNila=aseqV31a++aseqV12aseqV8Aa=aseqV35aemptyIa=V34afrontV31Aa=V33arearV31Aa=V32aseqV31Aa=aV32V39iantha-a-alengthV34c1a-V39V40V34anthV39V33a<V39V40LalengthV33Ia<V39alength1V32Aa<=c0V39FAa>alengthV33c0Ia>alengthV34c0Aa=alength1V32a+alengthV34alengthV33ItAtIa=aseqV35aemptyIa=V38afrontV35Aa=V37arearV35Aa=V36aseqV35FItAtIa=V32V30Aa=V33V27Aa=V34V28FIa=aV30V41aV29a-V41alength1V26Ia<V41alength1V30Aa<=alength1V26V41FAa=aV30V42aV26V42Ia<V42alength1V26Aa<=c0V42FAa=alength1V30a+alength1V26alength1V29La++V26V29LaseqV8Ia=V26aseqV12Aa=V27arearV12Aa=V28a++afrontV8a++areversearearV8afrontV12FwarearV12Ia=V15afrontV12Aa=V14arearV12Aa=V13aseqV12Aa=V11afrontV8Aa=V10arearV8Aa=V9aseq
VC for transfer
a=aseqV0aemptyItAtIa=aseqV0aemptyAa=V3afrontV0Aa=V2arearV0Aa=V1aseqV0F
VC for create'refn
a=aseqV5asnocaseqV1V0ItAtIa=aseqV5asnocaseqV1V0Ia=V8afrontV5Aa=V7arearV5Aa=V6aseqV5FItAtIa=V4afrontV1Aa=V3arearV1Aa=V2aseqV1F
VC for push'refn
a=aseqV0aemptyAa=V4V0ItAtIa=aseqV0aemptyAa=V4V0Aa=aseqV4aaseqV0c1Aa=V8aaseqV0c0ANa=aseqV0aemptyItAtIa=aseqV4aaseqV0c1Aa=V8aaseqV0c0ANa=aseqV0aemptyFIa=V7afrontV4Aa=V6arearV4Aa=V5aseqV4FItAtIa=V3afrontV0Aa=V2arearV0Aa=V1aseqV0F
VC for pop'refn
a=aseqV0aemptyIa==aseqV0aemptyAa=V4aaseqV0c0ANa=aseqV0aemptyIa=V4aaseqV0c0ANa=aseqV0aemptyFItAtIa=V3afrontV0Aa=V2arearV0Aa=V1aseqV0F
VC for peek'refn
a=aseqV4aaseqV0c1AtItAtIa=aseqV4aaseqV0c1Ia=V7afrontV4Aa=V6arearV4Aa=V5aseqV4FANa=aseqV0aemptyItAtINa=aseqV0aemptyAa=V3afrontV0Aa=V2arearV0Aa=V1aseqV0F
VC for safe_pop'refn
tANa=aseqV0aemptyItAtINa=aseqV0aemptyAa=V3afrontV0Aa=V2arearV0Aa=V1aseqV0F
VC for safe_peek'refn
a=aseqV4aemptyItAtIa=aseqV4aemptyIa=V7afrontV4Aa=V6arearV4Aa=V5aseqV4FItAtIa=V3afrontV0Aa=V2arearV0Aa=V1aseqV0F
VC for clear'refn
a==aseqV4aseqV0ItAtIa==aseqV4aseqV0Aa=V7afrontV4Aa=V6arearV4Aa=V5aseqV4FItAtIa=V3afrontV0Aa=V2arearV0Aa=V1aseqV0F
VC for copy'refn
a=aseqV0aemptyqa==aseqV0aemptyItAtIa=V3afrontV0Aa=V2arearV0Aa=V1aseqV0F
VC for is_empty'refn
a=avV4alengthaseqV0Ia=avV4alengthaseqV0FItAtIa=V3afrontV0Aa=V2arearV0Aa=V1aseqV0F
VC for length'refn
a=aseqV8a++aseqV4aseqV0Aa=aseqV12aemptyItAtItAtIa=aseqV8a++aseqV4aseqV0Aa=aseqV12aemptyIa=V11afrontV8Aa=V10arearV8Aa=V9aseqV8Ia=V15afrontV12Aa=V14arearV12Aa=V13aseqV12FItAtItAtIa=V7afrontV4Aa=V6arearV4Aa=V5aseqV4Aa=V3afrontV0Aa=V2arearV0Aa=V1aseqV0F
VC for transfer'refn

5f813e28e8341e89f440a2354dfb3c2a 1H0
b37994484655b0af15f7dcd77d232b18 4H3H2
ef954514a44ca3dbf099f9bf424f55cd 6H5H2
35c576019ddddf158a1d4c6f62ebb818 8H7H2
3d34f20db16200ed4175cb460282b224 11H10H9H2
f7c6581cc4e5fbc1d344e5c4aa4d13cc 43H42H12H9H2
5c352f8b755a2d9ad34add8cc964ba87 16H15H14H13H12H9H2
f4ccecf7cc7dfa5ecd10fc4ecb57cd0f 19H18H17H13H12H9H2
fd9f34559f322f9541b748e44805fd8e 21H20H17H13H12H9H2
db8543c728a86dcd2247604f4d2491ce 21H23H22H20H17H13H12H9H2
99400b00b7714bacd57674a719e9509a 21H27H26H25H24H20H17H13H12H9H2
384e0fd837f7856896b0ef64c2ccd864 30H29H28H17H13H12H9H2
1a8d6650259f4c6d981299347f0a70f9 30H31H29H28H17H13H12H9H2
da6d8c88e29df772e6dfb3353ce0a2ed 30H33H29H28H32H13H12H9H2
c75e043f0170840173c23562016ba46f 19H18H34H13H12H9H2
add296212de2b4bf2e78b66748bc6fc2 21H35H34H13H12H9H2
e257cee7f30d45c735724efed4797d33 21H37H36H35H34H13H12H9H2
4e5dd98c025f12f260df985db0e46c70 21H39H26H25H38H35H34H13H12H9H2
f7420b95e81d338c85123143d034a7b1 30H29H40H34H13H12H9H2
d99bedec7fb05f61e2251488e07e11ae 30H31H29H40H34H13H12H9H2
d044a9b438a080f0a1126e5d939dda92 30H33H29H40H41H13H12H9H2
eddc95e7aa896d321aad53f1f6c27a70 45H44H12H9H2
1d55da0170f654cd520edee600ce2126 47H46H12H9H2
ae0a03a723efa5f4e495fdcc2539f252 49H48H12H9H2
1b2006635d6f683aaff24aa627897269 51H50H12H9H2
4a2c6f6c38c4a657b36a4ac6812d4c55 53H52H12H9H2
dbd28b9e77e309af935fb00560fc15ee 55H54H12H9H2
1b21971608bedc1e2437be540efc67fb 57H56H12H9H2
d8653618c9bb1d15600c3075e1ab39a7 83H82H12H9H2
54a9386228d6ae8119e148fb27c8cfd7 21H63H62H61H60H59H58H12H9H2
dbfdd4d10153f095feb8c900fa1f8555 21H65H64H63H62H61H60H59H58H12H9H2
e5457b61bfac670cb891a4d9bd96fc81 21H68H67H25H66H63H62H61H60H59H58H12H9H2
21f2927998db747d4596f8bc5018a709 30H62H69H62H61H60H59H58H12H9H2
ee977bd177c8fd31e0e566e8c29d1a51 30H70H62H69H62H61H60H59H58H12H9H2
13600cccc949e01963f3813226b44e8e 21H75H62H61H74H73H72H71H59H58H12H9H2
61dd370fb79f5edb4d2116b18d00d7a3 21H77H76H75H62H61H74H73H72H71H59H58H12H9H2
126cd550b43a0697253eb8d41d3e5fa3 21H80H79H25H78H75H62H61H74H73H72H71H59H58H12H9H2
39e14f310ad93a867c9ba1bd748ae6b2 30H62H81H62H61H74H73H72H71H59H58H12H9H2
6664d67f371547f9196835cf3c722e2b 30H70H62H81H62H61H74H73H72H71H59H58H12H9H2
ec0bdfeb85384422ead41a7010f773ea 85H84
31901fce1b6e94307856b7ff071cc304 87H86
5651ad0848cc8061bb51c50be7cc5228 89H88
33a9f6bf9f6dfabee8e5a5246f189923 91H90
63835471966aedebfd7b222f7e683055 93H92
c928f31a69d76dfab2a6e669872500a0 95H94
ad78a4a47e403e659047ddf0fca27a8e 97H96
c6c71e575ac4f262dfaa762062c97747 99H98
2885696bf72ca84e3b6dd9816f3d5e1e 101H100
0b6f2d4a385b6521dda5027fbd80e35e 103H102
151977f7e3075ab3c24d498776301bdd 105H104
