Home Intro Announce FAQ Docs Download Mail Status Bugs Users Related FM Tools

PVS Bug 774


Synopsis:        AUTO_REWRITE+ causes ASSERT to report "Free variables in type Seq[T](G)"
Severity:        serious
Priority:        medium
Responsible:     owre (Sam Owre)
State:           open
Class:           sw-bug
Arrival-Date:    Wed May 28 10:55:00 2003
Originator:      Rick Butler
Organization:    larc
Release:         PVS 3.1
Environment: 
 System:          
 Architecture: 

Description: 
  
  IF you rerun the proof of "v_not_in" in "sep_set_lems" you get
  
     Rerunning step: (assert)
  
     Free variables in type Seq[T](G)
     Restoring the state.
     v_not_in.1 :  
     
     {-1}  vert(G!1)(seq(p!1)(i!1))
     [-2]  W!1(v!1)
       |-------
     [1]   vert(G!1)(seq(p!1)(i!1)) AND NOT W!1(seq(p!1)(i!1))
     {2}   v!1 /= seq(p!1)(i!1) AND W!1(seq(p!1)(i!1))
     [3]   verts_of(p!1)(v!1)
        
  However, if you comment out (or remove) the AUTO_REWRITE+ statements
  in walks.pvs, rm *.bin and reissue the proof, the proof goes through fine.
  In fact all of the proofs will reprove after issuing M-x pri on
  sep_set_lems.
  
  
  WITHOUT THE AUTO_REWRITE+ statements 100% of the proofs work when
  issued on a fresh context with no *.bin files
  
  WITH THE AUTO_REWRITE+ statements included in walks.pvs you get
     
     Grand Totals: 197 proofs, 197 attempted, 174 succeeded (46.31 s)
  
  If you just comment out the AUTO_REWRITE+ statements and reissue
  a M-x pri in "sep_set_lems" you first get
  
    Expecting an expression or type
    No resolution for T
  
  If you then reissue Esc-1 M-x tc, it typechecks ok indicating a problem
  with the incremental typechecker.  This happens all the time in PVS 3.1
  not a major problem -- just an annoyance.
  
  The following lemmas also exhibit this strange Free variables in type Seq[T](
 G)
  error:
  
     walk?_del_vert       in path_ops
     walk?_del_vert_not   in path_ops
     path?_del_verst      in path_ops
     path_edge_once_TCC1  in path_ops
     path_edge_once_TCC2  in path_ops
     path_edge_once_TCC3  in path_ops
     path_edge_once_TCC4  in path_ops
     sep_set_exists       in sep_sets
     min_sep_set_vert     in sep_sets
     walk?_del_verts_not  in sep_sets
  
  Rick
  ----------------------
  
  %% PVS Version 3.1
  %% 6.2 [Linux (x86)] (Feb 14, 2003 18:46)
  
  $$$sep_set_lems.pvs
  sep_set_lems[T: TYPE]: THEORY
  BEGIN
  
     IMPORTING paths[T], sep_sets[T], path_ops[T]
  
     G,MM: VAR graph[T]
     v,s,t,w1,w2: VAR T
     e: VAR doubleton[T]
     W: VAR finite_set[T]
     p: VAR prewalk	      
  
  
     sep_num_0: LEMMA separable?(G,s,t) AND sep_num(G, s, t) = 0 IMPLIES
                            separates(G, emptyset[T], s, t)
    
     sep_num_gt_0: LEMMA vert(G)(s) AND vert(G)(t) AND separable?(G,s,t) 
                         AND sep_num(G,s,t) > 0 IMPLIES
                                (EXISTS (w: prewalk): walk_from?(G,w,s,t))
  
     sep_num_is_1: LEMMA vert(G)(s) AND vert(G)(t) AND v /= s AND v /= t AND
                            (FORALL (p: prewalk): walk_from?(G,p,s,t) IMPLIES
                                    (EXISTS (i: below(l(p))): seq(p)(i) = v))
                               IMPLIES sep_num(G,s,t) <= 1
  
     av: VAR T
     sep_num_le1: LEMMA vert(G)(s) AND vert(G)(t) AND vert(G)(av) AND
                            av /= s AND av /= t AND
                            separable?(G, s, t) AND 
                            sep_num(G,s,t) <= 1 IMPLIES
                               (EXISTS (z: T): vert(G)(z) AND z /= s AND z /= t
  AND
                                                 separates(G,singleton(z),s,t))
  
     separable?_comm: LEMMA separable?(G,s,t) IMPLIES separable?(G,t,s)
  
     separates_comm:  LEMMA separates(G, W, s, t) = separates(G, W, t, s)
  
  
     sep_num_comm:    LEMMA vert(G)(s) AND vert(G)(t) IMPLIES
                              sep_num(G,s,t) = sep_num(G,t,s)
  
  
     v_not_in: LEMMA  walk_from?(del_verts(G, remove(v, W)), p,s,t)
     	           AND W(v) AND NOT verts_of(p)(v)
     	           IMPLIES walk_from?(del_verts(G, W), p, s, t)
  
     k: VAR nat
     path_thru_each: LEMMA     sep_num(G,s,t) = k 
                           AND separates(G, W, s, t)
                           AND card(W) = k AND W(v)
                           AND vert(G)(s) AND vert(G)(t)
                IMPLIES
                   (EXISTS (pv: prewalk): verts_of(pv)(v) AND path_from?(G,pv,s
 ,t))
                   
  
  
     one_to_each: LEMMA     sep_num(G,s,t) = 2 
                        AND separates(G, dbl(w1, w2), s, t)
                        AND vert(G)(s) AND vert(G)(t)
                IMPLIES
     	         ( (EXISTS (Psw1: prewalk): path_from?(G, Psw1, s, w1)) AND
     		   (EXISTS (Psw2: prewalk): path_from?(G, Psw2, s, w2)))
  
  
  
     walk?_del_verts  : LEMMA walk?(del_verts(G, W), p) IMPLIES walk?[T](G, p)
  
     del_verts_eq: LEMMA del_vert(del_vert(G, w1), w2) = del_verts(G, dbl(w1, w
 2))
  
  END sep_set_lems
  
  
  
  
  
  
  $$$sep_set_lems.prf
  (sep_set_lems
   (sep_num_0 0
    (sep_num_0-1 nil 3251049123 nil
     ("" (skosimp*)
      (("" (expand "sep_num")
        (("" (lemma "min_sep_set_seps")
          (("" (lemma "card_is_0[T]")
            (("" (inst?)
              (("" (iff -1)
                (("" (assert) (("" (inst?) (("" (assert) nil))))))))))))))))
      nil)
     proved-complete
     ((T formal-type-decl nil sep_set_lems nil)
      (min_sep_set_seps formula-decl nil sep_sets nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (is_finite const-decl "bool" finite_sets nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (pregraph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (graph type-eq-decl nil graphs nil)
      (min_sep_set const-decl "finite_set[T]" sep_sets nil)
      (card_is_0 formula-decl nil finite_sets nil)
      (sep_num const-decl "nat" sep_sets nil))
     nil nil nil nil))
   (sep_num_gt_0 0
    (sep_num_gt_0-1 nil 3251049123 nil
     ("" (skosimp*)
      (("" (expand "sep_num")
        (("" (case "separates(G!1,emptyset[T],s!1,t!1)")
          (("1" (lemma "min_sep_set_card")
            (("1" (inst?)
              (("1" (assert)
                (("1" (rewrite "card_emptyset[T]") (("1" (assert) nil)))))))))
           ("2" (hide -1 -2)
            (("2" (expand "separates")
              (("2" (prop)
                (("1" (expand "emptyset") (("1" (propax) nil)))
                 ("2" (expand "emptyset") (("2" (propax) nil)))
                 ("3" (skosimp*)
                  (("3" (typepred "w!1")
                    (("3" (case-replace "del_verts(G!1, emptyset[T]) = G!1")
                      (("1" (hide -1) (("1" (inst 1 "w!1") nil)))
                       ("2" (hide -1 -2 -3 2)
                        (("2" (apply-extensionality :hide? t)
                          (("1" (apply-extensionality :hide? t)
                            (("1" (expand "emptyset")
                              (("1" (expand "del_verts")
                                (("1" (propax) nil)))))))
                           ("2" (apply-extensionality :hide? t)
                            (("2" (expand "del_verts")
                              (("2" (grind) nil))))))))))))))))))))))))))
      nil)
     proved-complete
     ((emptyset const-decl "set" sets nil)
      (separates const-decl "bool" sep_sets nil)
      (is_finite const-decl "bool" finite_sets nil)
      (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (pregraph type-eq-decl nil graphs nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (T formal-type-decl nil sep_set_lems nil)
      (card_emptyset formula-decl nil finite_sets nil)
      (min_sep_set_card formula-decl nil sep_sets nil)
      (del_verts const-decl "graph[T]" sep_sets nil)
      (member const-decl "bool" sets nil) (difference const-decl "set" sets nil
 )
      (prewalk type-eq-decl nil walks nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (below type-eq-decl nil nat_types nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (> const-decl "bool" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number nonempty-type-decl nil numbers nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (sep_num const-decl "nat" sep_sets nil))
     nil nil nil nil))
   (sep_num_is_1 0
    (sep_num_is_1-1 nil 3251049123 nil
     ("" (skosimp*)
      (("" (case "separates(G!1, singleton[T](v!1), s!1, t!1)")
        (("1" (hide -2)
          (("1" (expand "sep_num")
            (("1" (lemma "min_sep_set_card")
              (("1" (inst?)
                (("1" (assert) (("1" (rewrite "card_singleton[T]") nil)))
                 ("2" (reveal -2) (("2" (propax) nil)))))))))))
         ("2" (hide 2)
          (("2" (expand "separates")
            (("2" (split 1)
              (("1" (expand "singleton")
                (("1" (reveal 1) (("1" (assert) nil)))))
               ("2" (expand "singleton") (("2" (assert) nil)))
               ("3" (skosimp*)
                (("3" (inst -4 "w!1")
                  (("3" (expand "walk_from?")
                    (("3" (flatten)
                      (("3" (assert)
                        (("3" (split -6)
                          (("1" (skosimp*)
                            (("1" (expand "walk?")
                              (("1" (flatten)
                                (("1" (hide -5)
                                  (("1" (expand "verts_in?")
                                    (("1" (inst - "i!1")
                                      (("1" (expand "del_verts")
                                        (("1"
                                          (expand "difference")
                                          (("1"
                                            (expand "member")
                                            (("1"
                                              (flatten)
                                              (("1"
                                                (expand "singleton")
                                                (("1"
                                                  (propax)
                                                  nil)))))))))))))))))))))))
                           ("2" (hide -1 -2 3)
                            (("2" (expand "walk?")
                              (("2" (flatten)
                                (("2" (split 1)
                                  (("1" (hide -2)
                                    (("1" (expand "verts_in?")
                                      (("1" (skosimp*)
                                        (("1"
                                          (inst?)
                                          (("1"
                                            (expand "del_verts")
                                            (("1"
                                              (expand "difference")
                                              (("1"
                                                (expand "member")
                                                (("1"
                                                  (expand "singleton")
                                                  (("1"
                                                    (flatten)
                                                    (("1"
                                                      (propax)
                                                      nil)))))))))))))))))))
                                   ("2" (skosimp*)
                                    (("2" (expand "fseq")
                                      (("2" (inst?)
                                        (("2"
                                          (assert)
                                          (("2"
                                            (expand "edge?")
                                            (("2"
                                              (flatten)
                                              (("2"
                                                (expand "del_verts")
                                                (("2"
                                                  (flatten)
                                                  (("2"
                                                    (hide -4)
                                                    (("2"
                                                      (assert)
                                                      nil))))))))))))))))))))))
 )))))))))))))))))))))))
         ("3" (rewrite "finite_singleton") nil))))
      nil)
     proved-complete
     ((prewalk type-eq-decl nil walks nil) (> const-decl "bool" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number nonempty-type-decl nil numbers nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (below type-eq-decl nil nat_types nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (walk? const-decl "bool" walks nil)
      (below type-eq-decl nil naturalnumbers nil)
      (< const-decl "bool" reals nil) (>= const-decl "bool" reals nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (difference const-decl "set" sets nil) (member const-decl "bool" sets nil
 )
      (del_verts const-decl "graph[T]" sep_sets nil)
      (verts_in? const-decl "bool" walks nil)
      (fseq const-decl "[below[l(fs)] -> T]" seq_def nil)
      (edge? const-decl "bool" graphs nil)
      (walk_from? const-decl "bool" walks nil)
      (min_sep_set_card formula-decl nil sep_sets nil)
      (card_singleton formula-decl nil finite_sets nil)
      (sep_num const-decl "nat" sep_sets nil)
      (T formal-type-decl nil sep_set_lems nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (pregraph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (graph type-eq-decl nil graphs nil)
      (is_finite const-decl "bool" finite_sets nil)
      (separates const-decl "bool" sep_sets nil)
      (singleton? const-decl "bool" sets nil)
      (singleton const-decl "(singleton?)" sets nil))
     nil nil nil nil))
   (sep_num_le1_TCC1 0
    (sep_num_le1_TCC1-1 nil 3251049123 3251049219
     ("" (skosimp*) (("" (rewrite "finite_singleton[T]") nil)) nil) proved
     ((finite_singleton judgement-tcc nil finite_sets nil)
      (T formal-type-decl nil sep_set_lems nil))
     102 60 nil nil))
   (sep_num_le1 0
    (sep_num_le1-1 nil 3251049123 nil
     ("" (skosimp*)
      (("" (expand "sep_num")
        (("" (lemma "min_sep_set_seps")
          (("" (inst?)
            (("" (assert)
              (("" (case "card(min_sep_set(G!1, s!1, t!1)) = 1")
                (("1" (lemma "card_one[T]")
                  (("1" (inst?)
                    (("1" (assert)
                      (("1" (skosimp*)
                        (("1" (inst + "x!1")
                          (("1" (lemma "min_sep_set_vert")
                            (("1" (inst?)
                              (("1" (inst - "x!1")
                                (("1" (assert)
                                  (("1" (replace -2)
                                    (("1" (expand "singleton" -1)
                                      (("1" (expand "separable?")
                                        (("1"
                                          (flatten)
                                          (("1"
                                            (assert)
                                            (("1"
                                              (expand "separates")
                                              (("1"
                                                (flatten)
                                                (("1"
                                                  (expand "singleton")
                                                  (("1"
                                                    (assert)
                                                    nil))))))))))))))))))))))))
 )))))))))))
                 ("2" (case "card(min_sep_set(G!1, s!1, t!1)) = 0")
                  (("1" (hide -6 1)
                    (("1" (lemma "sep_num_0")
                      (("1" (inst -1 "G!1" "s!1" "t!1")
                        (("1" (assert)
                          (("1" (expand "sep_num")
                            (("1" (inst + "av!1")
                              (("1" (assert)
                                (("1" (hide -2 -3 -7)
                                  (("1" (expand "separates")
                                    (("1" (flatten)
                                      (("1" (assert)
                                        (("1"
                                          (expand "singleton")
                                          (("1"
                                            (skosimp*)
                                            (("1"
                                              (inst?)
                                              (("1"
                                                (expand "walk_from?")
                                                (("1"
                                                  (flatten)
                                                  (("1"
                                                    (assert)
                                                    (("1"
                                                      (expand "walk?")
                                                      (("1"
                                                        (flatten)
                                                        (("1"
                                                          (split +)
                                                          (("1"
                                                            (expand "verts_in?"
 )
                                                            (("1"
                                                              (expand
                                                               "del_verts")
                                                              (("1"
                                                                (expand
                                                                 "difference")
                                                                (("1"
                                                                  (expand
                                                                   "member")
                                                                  (("1"
                                                                    (skosimp*)
                                                                    (("1"
                                                                      (inst?)
                                                                      (("1"
                                                                        (assert
 )
                                                                        (("1"
                                                                          (flat
 ten)
                                                                          (("1"
                                                                            (as
 sert)
                                                                            (("
 1"
                                                                              (
 expand
                                                                               
 "emptyset")
                                                                              (
 ("1"
                                                                               
  (propax)
                                                                               
  nil)))))))))))))))))))))
                                                           ("2"
                                                            (skosimp*)
                                                            (("2"
                                                              (inst?)
                                                              (("2"
                                                                (expand "fseq")
                                                                (("2"
                                                                  (expand
                                                                   "edge?")
                                                                  (("2"
                                                                    (assert)
                                                                    (("2"
                                                                      (flatten)
                                                                      (("2"
                                                                        (assert
 )
                                                                        (("2"
                                                                          (expa
 nd
                                                                           "del
 _verts")
                                                                          (("2"
                                                                            (fl
 atten)
                                                                            (("
 2"
                                                                              (
 assert)
                                                                              (
 ("2"
                                                                               
  (skosimp*)
                                                                               
  (("2"
                                                                               
    (expand
                                                                               
     "emptyset")
                                                                               
    (("2"
                                                                               
      (propax)
                                                                               
      nil)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
                   ("2" (assert) nil))))))))))))))
      nil)
     proved-complete
     ((T formal-type-decl nil sep_set_lems nil)
      (min_sep_set_seps formula-decl nil sep_sets nil)
      (sep_num_0 formula-decl nil sep_set_lems nil)
      (prewalk type-eq-decl nil walks nil) (> const-decl "bool" reals nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (below type-eq-decl nil nat_types nil) (walk? const-decl "bool" walks nil
 )
      (del_verts const-decl "graph[T]" sep_sets nil)
      (member const-decl "bool" sets nil)
      (below type-eq-decl nil naturalnumbers nil)
      (< const-decl "bool" reals nil) (emptyset const-decl "set" sets nil)
      (difference const-decl "set" sets nil)
      (verts_in? const-decl "bool" walks nil)
      (edge? const-decl "bool" graphs nil)
      (fseq const-decl "[below[l(fs)] -> T]" seq_def nil)
      (walk_from? const-decl "bool" walks nil)
      (card_one formula-decl nil finite_sets nil)
      (singleton const-decl "(singleton?)" sets nil)
      (separates const-decl "bool" sep_sets nil)
      (separable? const-decl "bool" sep_sets nil)
      (min_sep_set_vert formula-decl nil sep_sets nil)
      (number nonempty-type-decl nil numbers nil)
      (is_finite const-decl "bool" finite_sets nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (int nonempty-type-eq-decl nil integers nil)
      (>= const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (Card const-decl "nat" finite_sets nil)
      (card const-decl "{n: nat | n = Card(S)}" finite_sets nil)
      (min_sep_set const-decl "finite_set[T]" sep_sets nil)
      (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (pregraph type-eq-decl nil graphs nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (sep_num const-decl "nat" sep_sets nil))
     nil nil nil nil))
   (separable?_comm 0
    (separable?_comm-1 nil 3251049123 nil
     ("" (skosimp*)
      (("" (expand "separable?")
        (("" (flatten)
          (("" (assert)
            (("" (expand "edge?") (("" (rewrite "dbl_comm") nil))))))))))
      nil)
     proved-complete
     ((edge? const-decl "bool" graphs nil)
      (T formal-type-decl nil sep_set_lems nil)
      (dbl_comm formula-decl nil doubletons nil)
      (separable? const-decl "bool" sep_sets nil))
     nil nil nil nil))
   (separates_comm 0
    (separates_comm-1 nil 3251049123 nil
     ("" (skosimp*)
      (("" (expand "separates")
        (("" (iff 1)
          (("" (ground)
            (("1" (skosimp*)
              (("1" (lemma "walk?_reverse")
                (("1" (inst?)
                  (("1" (assert) (("1" (skosimp*) (("1" (inst 3 "w!2") nil)))))
                   ("2" (expand "walk_from?")
                    (("2" (flatten) (("2" (propax) nil)))))))))))
             ("2" (skosimp*)
              (("2" (lemma "walk?_reverse")
                (("2" (inst?)
                  (("1" (assert) (("1" (skosimp*) (("1" (inst 3 "w!2") nil)))))
                   ("2" (expand "walk_from?")
                    (("2" (flatten) (("2" (propax) nil))))))))))))))))))
      nil)
     proved-complete
     ((boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (pregraph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (graph type-eq-decl nil graphs nil)
      (is_finite const-decl "bool" finite_sets nil)
      (del_verts const-decl "graph[T]" sep_sets nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (below type-eq-decl nil nat_types nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (number nonempty-type-decl nil numbers nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (> const-decl "bool" reals nil) (prewalk type-eq-decl nil walks nil)
      (Walk type-eq-decl nil walks nil) (walk? const-decl "bool" walks nil)
      (walk?_reverse formula-decl nil walks nil)
      (T formal-type-decl nil sep_set_lems nil)
      (separates const-decl "bool" sep_sets nil))
     nil nil nil nil))
   (sep_num_comm 0
    (sep_num_comm-1 nil 3251049123 nil
     ("" (skosimp*)
      (("" (case "separable?(G!1,s!1,t!1)")
        (("1" (lemma "min_sep_set_seps")
          (("1" (inst?)
            (("1" (lemma "min_sep_set_seps")
              (("1" (inst -1 "G!1" "t!1" "s!1")
                (("1" (lemma "separable?_comm")
                  (("1" (inst?)
                    (("1" (assert)
                      (("1" (expand "sep_num")
                        (("1" (lemma "min_sep_set_card")
                          (("1"
                            (inst -1 "G!1" "min_sep_set(G!1, t!1, s!1)" "s!1"
                             "t!1")
                            (("1" (lemma "min_sep_set_card")
                              (("1"
                                (inst -1 "G!1" "min_sep_set(G!1, s!1, t!1)"
                                 "t!1" "s!1")
                                (("1" (split -1)
                                  (("1" (split -2)
                                    (("1" (assert) nil)
                                     ("2" (rewrite "separates_comm") nil)))
                                   ("2" (rewrite "separates_comm")
                                    nil)))))))))))))))))))))))))))
         ("2" (expand "sep_num")
          (("2" (lemma "min_sep_set_edge")
            (("2" (copy -1)
              (("2" (inst?)
                (("2" (inst -2 "G!1" "t!1" "s!1")
                  (("2" (lemma "separable?_comm")
                    (("2" (inst?) (("2" (assert) nil))))))))))))))))))
      nil)
     proved-complete
     ((NOT const-decl "[bool -> bool]" booleans nil)
      (min_sep_set_edge formula-decl nil sep_sets nil)
      (min_sep_set_seps formula-decl nil sep_sets nil)
      (separable?_comm formula-decl nil sep_set_lems nil)
      (min_sep_set_card formula-decl nil sep_sets nil)
      (separates_comm formula-decl nil sep_set_lems nil)
      (is_finite const-decl "bool" finite_sets nil)
      (min_sep_set const-decl "finite_set[T]" sep_sets nil)
      (sep_num const-decl "nat" sep_sets nil)
      (T formal-type-decl nil sep_set_lems nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (pregraph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (graph type-eq-decl nil graphs nil)
      (separable? const-decl "bool" sep_sets nil))
     nil nil nil nil))
   (v_not_in_TCC1 0
    (v_not_in_TCC1-1 nil 3251049219 3251049938
     ("" (skosimp*) (("" (assert) (("" (rewrite "finite_remove") nil nil)) nil)
 )
      nil)
     proved
     ((T formal-type-decl nil sep_set_lems nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (is_finite const-decl "bool" finite_sets nil)
      (set type-eq-decl nil sets nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (finite_remove judgement-tcc nil finite_sets nil))
     12486 1210 t shostak))
   (v_not_in 0
    (v_not_in-1 nil 3251049123 nil
     ("" (skosimp*)
      (("" (expand "walk_from?")
        (("" (flatten)
          (("" (assert)
            (("" (hide -1 -2)
              (("" (expand "walk?")
                (("" (flatten)
                  (("" (split 2)
                    (("1" (hide -2)
                      (("1" (expand "verts_in?")
                        (("1" (skosimp*)
                          (("1" (expand "del_verts")
                            (("1" (expand "difference")
                              (("1" (expand "remove")
                                (("1" (expand "member")
                                  (("1" (inst?)
                                    (("1" (flatten)
                                      (("1" (assert)
                                        (("1"
                                          (expand "verts_of")
                                          (("1"
                                            (inst?)
                                            (("1"
                                              (expand "fseq")
                                              (("1"
                                                (assert)
                                                nil)))))))))))))))))))))))))))
                     ("2" (skosimp*)
                      (("2" (expand "fseq")
                        (("2" (expand "edge?")
                          (("2" (inst?)
                            (("2" (assert)
                              (("2" (flatten)
                                (("2" (assert)
                                  (("2" (hide -2)
                                    (("2" (expand "del_verts")
                                      (("2" (flatten)
                                        (("2"
                                          (assert)
                                          (("2"
                                            (skosimp*)
                                            (("2"
                                              (expand "dbl")
                                              (("2"
                                                (expand "remove")
                                                (("2"
                                                  (expand "member")
                                                  (("2"
                                                    (inst -5 "v!2")
                                                    (("2"
                                                      (assert)
                                                      (("2"
                                                        (expand "verts_of")
                                                        (("2"
                                                          (expand "fseq")
                                                          (("2"
                                                            (split -3)
                                                            (("1"
                                                              (inst?)
                                                              (("1"
                                                                (assert)
                                                                nil)))
                                                             ("2"
                                                              (inst?)
                                                              (("2"
                                                                (assert)
                                                                nil))))))))))))
 ))))))))))))))))))))))))))))))))))))))))))))))
      nil)
     proved-incomplete
     ((edge? const-decl "bool" graphs nil)
      (dbl const-decl "set[T]" doubletons nil)
      (+ const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (numfield nonempty-type-eq-decl nil number_fields nil)
      (difference const-decl "set" sets nil) (member const-decl "bool" sets nil
 )
      (verts_of const-decl "finite_set[T]" walks nil)
      (fseq const-decl "[below[l(fs)] -> T]" seq_def nil)
      (below type-eq-decl nil naturalnumbers nil)
      (prewalk type-eq-decl nil walks nil) (> const-decl "bool" reals nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (T formal-type-decl nil sep_set_lems nil)
      (below type-eq-decl nil nat_types nil) (< const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (>= const-decl "bool" reals nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (boolean nonempty-type-decl nil booleans nil)
      (number nonempty-type-decl nil numbers nil)
      (remove const-decl "set" sets nil)
      (del_verts const-decl "graph[T]" sep_sets nil)
      (verts_in? const-decl "bool" walks nil)
      (walk? const-decl "bool" walks nil)
      (walk_from? const-decl "bool" walks nil))
     nil nil nil nil))
   (path_thru_each 0
    (path_thru_each-1 nil 3251049123 nil
     ("" (skosimp*)
      (("" (case "separates(G!1, remove(v!1,W!1) , s!1, t!1)")
        (("1" (hide 1)
          (("1" (lemma "min_sep_set_card")
            (("1" (inst?)
              (("1" (assert)
                (("1" (expand "sep_num")
                  (("1" (replace -3)
                    (("1" (hide -3)
                      (("1" (hide -2 -3 -5 -6 -7)
                        (("1" (rewrite "card_remove")
                          (("1" (assert) nil)))))))))))))))))))
         ("2" (expand "separates")
          (("2" (flatten)
            (("2" (split 1)
              (("1" (expand "remove")
                (("1" (expand "member")
                  (("1" (flatten) (("1" (propax) nil)))))))
               ("2" (expand "remove")
                (("2" (expand "member")
                  (("2" (flatten) (("2" (propax) nil)))))))
               ("3" (skosimp*)
                (("3" (case "verts_of(w!1)(v!1)")
                  (("1" (hide 3)
                    (("1" (lemma "walk_to_path_from")
                      (("1" (inst?)
                        (("1" (assert)
                          (("1" (skosimp*)
                            (("1" (inst 3 "p!1")
                              (("1" (lemma "path?_del_verts")
                                (("1" (inst?)
                                  (("1" (inst?)
                                    (("1" (expand "path_from?")
                                      (("1" (flatten)
                                        (("1"
                                          (assert)
                                          (("1"
                                            (reveal 2)
                                            (("1"
                                              (inst 1 "p!1")
                                              (("1"
                                                (hide -1 -6 -7 -8 -10 2 3)
                                                (("1"
                                                  (expand "path?")
                                                  (("1"
                                                    (flatten)
                                                    (("1"
                                                      (hide -2)
                                                      (("1"
                                                        (lemma "v_not_in")
                                                        (("1"
                                                          (hide -5)
                                                          (("1"
                                                            (inst?)
                                                            (("1"
                                                              (inst?)
                                                              (("1"
                                                                (assert)
                                                                (("1"
                                                                  (hide 2 3)
                                                                  (("1"
                                                                    (expand
                                                                     "walk_from
 ?")
                                                                    (("1"
                                                                      (expand
                                                                       "from?")
                                                                      (("1"
                                                                        (propax
 )
                                                                        nil))))
 )))))))))))))))))))))))))))))))))))))))))))))))))
                   ("2" (hide 5)
                    (("2" (inst + "w!1")
                      (("2" (hide -2 -3 -5 -6 2 3)
                        (("2" (lemma "v_not_in")
                          (("2" (inst?)
                            (("2" (assert) nil))))))))))))))))))))))))
      nil)
     proved-incomplete
     ((member const-decl "bool" sets nil)
      (verts_of const-decl "finite_set[T]" walks nil)
      (prewalk type-eq-decl nil walks nil) (> const-decl "bool" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number nonempty-type-decl nil numbers nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (below type-eq-decl nil nat_types nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (walk_to_path_from formula-decl nil path_ops nil)
      (path_from? const-decl "bool" paths nil)
      (path? const-decl "bool" paths nil) (from? const-decl "bool" walks nil)
      (walk_from? const-decl "bool" walks nil)
      (v_not_in formula-decl nil sep_set_lems nil)
      (path?_del_verts formula-decl nil path_ops nil)
      (del_verts const-decl "graph[T]" sep_sets nil)
      (sep_num const-decl "nat" sep_sets nil)
      (card_remove formula-decl nil finite_sets nil)
      (min_sep_set_card formula-decl nil sep_sets nil)
      (T formal-type-decl nil sep_set_lems nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (pregraph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (graph type-eq-decl nil graphs nil)
      (is_finite const-decl "bool" finite_sets nil)
      (separates const-decl "bool" sep_sets nil)
      (remove const-decl "set" sets nil))
     nil nil nil nil))
   (one_to_each 0
    (one_to_each-1 nil 3251049123 nil
     ("" (skosimp*)
      (("" (lemma "path_thru_each")
        (("" (inst?)
          (("" (case "w1!1 = w2!1")
            (("1" (hide -2 1)
              (("1" (expand "sep_num")
                (("1" (lemma "min_sep_set_card")
                  (("1" (inst?)
                    (("1" (assert)
                      (("1" (replace -3)
                        (("1" (hide -3)
                          (("1"
                            (case-replace "dbl(w1!1, w2!1) = singleton(w1!1)")
                            (("1" (rewrite "card_singleton")
                              (("1" (assert) nil)))
                             ("2" (apply-extensionality 1 :hide? t)
                              (("2" (hide -1 -3 -4 -5)
                                (("2" (expand "dbl")
                                  (("2" (expand "singleton")
                                    (("2" (iff 1)
                                      (("2" (ground)
                                        nil)))))))))))))))))))))))))))
             ("2" (case "card(dbl(w1!1,w2!1)) = 2")
              (("1" (split 2)
                (("1" (inst - "dbl(w1!1, w2!1)" "w1!1")
                  (("1" (assert)
                    (("1" (expand "dbl" -2)
                      (("1" (skosimp*)
                        (("1" (expand "verts_of")
                          (("1" (skosimp*)
                            (("1" (expand "fseq")
                              (("1" (inst + "pv!1^(0,i!1)")
                                (("1" (expand "path_from?")
                                  (("1" (expand "from?")
                                    (("1" (flatten)
                                      (("1" (assert)
                                        (("1"
                                          (split 1)
                                          (("1" (rewrite "path?_caret") nil)
                                           ("2"
                                            (expand "^")
                                            (("2" (propax) nil)))
                                           ("3"
                                            (expand "^")
                                            (("3" (propax) nil)))))))))))))
                                 ("2" (expand "^")
                                  (("2" (assert) nil)))))))))))))))))
                   ("2" (rewrite "finite_dbl") nil)))
                 ("2" (inst - "dbl(w1!1, w2!1)" "w2!1")
                  (("1" (assert)
                    (("1" (expand "dbl" -2)
                      (("1" (skosimp*)
                        (("1" (expand "verts_of")
                          (("1" (skosimp*)
                            (("1" (expand "fseq")
                              (("1" (inst + "pv!1^(0,i!1)")
                                (("1" (expand "path_from?")
                                  (("1" (expand "from?")
                                    (("1" (flatten)
                                      (("1" (assert)
                                        (("1"
                                          (split 1)
                                          (("1" (rewrite "path?_caret") nil)
                                           ("2"
                                            (expand "^")
                                            (("2" (propax) nil)))
                                           ("3"
                                            (expand "^")
                                            (("3" (propax) nil)))))))))))))
                                 ("2" (expand "^")
                                  (("2" (assert) nil)))))))))))))))))
                   ("2" (rewrite "finite_dbl") nil)))))
               ("2" (hide -1 -2 -3 -4 -5 3) (("2" (rewrite "card_dbl") nil)))
               ("3" (rewrite "finite_dbl") nil))))))))))
      nil)
     proved-incomplete
     ((T formal-type-decl nil sep_set_lems nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (pregraph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (graph type-eq-decl nil graphs nil)
      (number nonempty-type-decl nil numbers nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (int nonempty-type-eq-decl nil integers nil)
      (>= const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (Card const-decl "nat" finite_sets nil)
      (card const-decl "{n: nat | n = Card(S)}" finite_sets nil)
      (verts_of const-decl "finite_set[T]" walks nil)
      (fseq const-decl "[below[l(fs)] -> T]" seq_def nil)
      (path_from? const-decl "bool" paths nil)
      (path?_caret formula-decl nil paths nil)
      (from? const-decl "bool" walks nil) (prewalk type-eq-decl nil walks nil)
      (^ const-decl "fin_seq(IF PROJ_1(p) > PROJ_2(p) THEN 0
          ELSE PROJ_2(p) - PROJ_1(p) + 1
          ENDIF)" seq_def nil)
      (fin_seq type-eq-decl nil seq_def nil)
      (- const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (+ const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (IF const-decl "[boolean, T, T -> T]" if_def nil)
      (numfield nonempty-type-eq-decl nil number_fields nil)
      (below type-eq-decl nil naturalnumbers nil)
      (below type-eq-decl nil nat_types nil) (< const-decl "bool" reals nil)
      (finite_seq type-eq-decl nil seq_def nil) (> const-decl "bool" reals nil)
      (card_dbl formula-decl nil graphs nil)
      (min_sep_set_card formula-decl nil sep_sets nil)
      (card_singleton formula-decl nil finite_sets nil)
      (singleton? const-decl "bool" sets nil)
      (singleton const-decl "(singleton?)" sets nil)
      (is_finite const-decl "bool" finite_sets nil)
      (sep_num const-decl "nat" sep_sets nil)
      (path_thru_each formula-decl nil sep_set_lems nil))
     nil nil nil nil))
   (walk?_del_verts 0
    (walk?_del_verts-1 nil 3251049123 nil
     ("" (skosimp*)
      (("" (expand "walk?")
        (("" (split +)
          (("1" (flatten)
            (("1" (hide -2)
              (("1" (expand "verts_in?")
                (("1" (skosimp*)
                  (("1" (inst?)
                    (("1" (expand "del_verts")
                      (("1" (expand "difference")
                        (("1" (expand "member")
                          (("1" (assert) nil)))))))))))))))))
           ("2" (skosimp*)
            (("2" (inst?)
              (("2" (expand "fseq")
                (("2" (assert)
                  (("2" (hide -2)
                    (("2" (expand "edge?")
                      (("2" (flatten)
                        (("2" (assert)
                          (("2" (expand "del_verts")
                            (("2" (propax) nil))))))))))))))))))))))))
      nil)
     proved-complete
     ((del_verts const-decl "graph[T]" sep_sets nil)
      (member const-decl "bool" sets nil) (difference const-decl "set" sets nil
 )
      (below type-eq-decl nil naturalnumbers nil)
      (prewalk type-eq-decl nil walks nil) (> const-decl "bool" reals nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (T formal-type-decl nil sep_set_lems nil)
      (below type-eq-decl nil nat_types nil) (< const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (>= const-decl "bool" reals nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (boolean nonempty-type-decl nil booleans nil)
      (number nonempty-type-decl nil numbers nil)
      (verts_in? const-decl "bool" walks nil)
      (edge? const-decl "bool" graphs nil)
      (fseq const-decl "[below[l(fs)] -> T]" seq_def nil)
      (walk? const-decl "bool" walks nil))
     nil nil nil nil))
   (del_verts_eq 0
    (del_verts_eq-1 nil 3251049123 nil
     ("" (skosimp*)
      (("" (apply-extensionality 1 :hide? t)
        (("1" (apply-extensionality 1 :hide? t)
          (("1" (iff 1)
            (("1" (expand "del_vert")
              (("1" (expand "del_verts")
                (("1" (ground)
                  (("1" (skosimp*) (("1" (expand "dbl") (("1" (ground) nil)))))
                   ("2" (inst?) (("2" (expand "dbl") (("2" (propax) nil)))))
                   ("3" (inst?)
                    (("3" (expand "dbl") (("3" (propax) nil)))))))))))))))
         ("2" (apply-extensionality 1 :hide? t)
          (("2" (expand "del_vert")
            (("2" (expand "remove")
              (("2" (expand "member")
                (("2" (iff 1)
                  (("2" (expand "del_verts")
                    (("2" (expand "difference")
                      (("2" (expand "member")
                        (("2" (expand "dbl")
                          (("2" (ground) nil))))))))))))))))))))))
      nil)
     proved-complete
     ((remove const-decl "set" sets nil) (difference const-decl "set" sets nil)
      (member const-decl "bool" sets nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (graph type-eq-decl nil graphs nil)
      (del_vert const-decl "graph[T]" graph_ops nil)
      (is_finite const-decl "bool" finite_sets nil)
      (del_verts const-decl "graph[T]" sep_sets nil)
      (pregraph type-eq-decl nil graphs nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (T formal-type-decl nil sep_set_lems nil))
     nil nil nil nil)))
  
  
  $$$walk_inductions.pvs
  walk_inductions[T: TYPE]: THEORY
  BEGIN
  
     IMPORTING walks[T]
  
     P: VAR pred[prewalk]
     n: VAR nat
     w,ww: VAR prewalk
  
     walk_prep              : LEMMA (FORALL w: P(w)) IFF 
                                         (FORALL n, w : l(w) = n IMPLIES P(w)) 
     
     
     graph_induction_walk    : THEOREM (FORALL w:
                                   (FORALL ww: l(ww) < l(w) IMPLIES P(ww))
                                                   IMPLIES P(w))
                                     IMPLIES (FORALL w: P(w))
      
  END walk_inductions
  
  
  
  
  
  
  
  
  
  $$$walk_inductions.prf
  (|walk_inductions|
   (|walk_prep| "" (SKOSIMP*)
    (("" (SPLIT)
      (("1" (FLATTEN) (("1" (SKOSIMP*) (("1" (INST?) NIL NIL)) NIL)) NIL)
       ("2" (FLATTEN)
        (("2" (SKOSIMP*) (("2" (INST?) (("2" (INST?) NIL NIL)) NIL)) NIL)) NIL)
 )
      NIL))
    NIL)
   (|graph_induction_walk| "" (SKOSIMP)
    (("" (LEMMA "walk_prep")
      (("" (INST -1 "P!1")
        (("" (FLATTEN)
          (("" (HIDE -1)
            (("" (SPLIT -1)
              (("1" (PROPAX) NIL NIL)
               ("2" (HIDE 2)
                (("2" (INDUCT "n" 1 "NAT_induction")
                  (("2" (SKOSIMP*)
                    (("2" (INST -3 "w!1")
                      (("2" (SPLIT -3)
                        (("1" (PROPAX) NIL NIL)
                         ("2" (SKOSIMP*)
                          (("2" (INST -2 "l(ww!1)")
                            (("2" (ASSERT) (("2" (INST?) NIL NIL)) NIL)) NIL))
                          NIL))
                        NIL))
                      NIL))
                    NIL))
                  NIL))
                NIL))
              NIL))
            NIL))
          NIL))
        NIL))
      NIL))
    NIL))
  
  
  $$$subgraphs.pvs
  subgraphs[T: TYPE]: THEORY
  
  BEGIN
  
     IMPORTING graphs[T]
  
     V: VAR set[T]
     G,G1,G2,SS: VAR graph[T]
     i: VAR T
     e: VAR doubleton[T]
  
     subgraph?(G1,G2): bool = subset?(vert(G1),vert(G2)) AND
                              subset?(edges(G1),edges(G2))
  
     equal?(G1,G2): bool = subgraph?(G1,G2) AND subgraph?(G2,G1)
  
     Subgraph(G): TYPE = {S: graph[T] | subgraph?(S,G)}
  
     finite_vert_subset: LEMMA is_finite(LAMBDA (i:T): vert(G)(i) AND V(i))
  
  
     subgraph(G, V): Subgraph(G) =
         (G WITH [vert :=  {i | vert(G)(i) AND V(i)},
                  edges := {e | edges(G)(e) AND 
                                (FORALL (x: T): e(x) IMPLIES V(x))}])
  
     subgraph_vert_sub: LEMMA subset?(V,vert(G)) IMPLIES
                                          vert(subgraph(G,V)) = V
  
     subgraph_lem     : LEMMA subgraph?(subgraph(G,V),G)
  
     subgraph_smaller: LEMMA subgraph?(SS, G) IMPLIES
     	                     size(SS) <= size(G)
  
  END subgraphs
  
  $$$subgraphs.prf
  (subgraphs
   (finite_vert_subset 0
    (finite_vert_subset-1 nil 3251040622 3251040769
     ("" (skosimp*)
      (("" (lemma "finite_subset[T]")
        (("" (inst?)
          (("" (inst -1 "vert(G!1)")
            (("" (assert) (("" (hide 2) (("" (grind) nil nil)) nil)) nil)) nil)
 )
          nil))
        nil))
      nil)
     proved
     ((T formal-type-decl nil subgraphs nil)
      (finite_subset formula-decl nil finite_sets nil)
      (is_finite const-decl "bool" finite_sets nil)
      (subset? const-decl "bool" sets nil) (member const-decl "bool" sets nil)
      (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (pregraph type-eq-decl nil graphs nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil))
     113 110 nil nil))
   (subgraph_TCC1 0
    (subgraph_TCC1-1 nil 3251040622 3251045986
     ("" (skosimp*)
      (("" (split +)
        (("1" (skosimp*)
          (("1" (typepred "G!1")
            (("1" (inst?)
              (("1" (assert)
                (("1" (inst?) (("1" (inst?) (("1" (assert) nil nil)) nil)) nil)
 )
                nil))
              nil))
            nil))
          nil)
         ("2" (grind) nil nil))
        nil))
      nil)
     proved
     ((graph type-eq-decl nil graphs nil) (pregraph type-eq-decl nil graphs nil
 )
      (finite_set type-eq-decl nil finite_sets nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil) (T formal-type-decl nil subgraphs nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (member const-decl "bool" sets nil) (subset? const-decl "bool" sets nil)
      (subgraph? const-decl "bool" subgraphs nil))
     13038 3640 t nil))
   (subgraph_vert_sub 0
    (subgraph_vert_sub-1 nil 3251040622 3251040769
     ("" (skosimp*)
      (("" (expand "subgraph")
        (("" (apply-extensionality 1 :hide? t)
          (("" (expand "subset?")
            (("" (inst?)
              (("" (expand "member") (("" (iff 1) (("" (ground) nil nil)) nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((subgraph const-decl "Subgraph(G)" subgraphs nil)
      (subset? const-decl "bool" sets nil) (member const-decl "bool" sets nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil) (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (pregraph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (graph type-eq-decl nil graphs nil)
      (boolean nonempty-type-decl nil booleans nil)
      (T formal-type-decl nil subgraphs nil))
     103 90 nil nil))
   (subgraph_lem 0
    (subgraph_lem-1 nil 3251040622 3251040769
     ("" (skosimp*) (("" (assert) nil nil)) nil) proved nil 39 30 nil nil))
   (subgraph_smaller 0
    (subgraph_smaller-1 nil 3251040622 3251040769
     ("" (skosimp*)
      (("" (expand "size")
        (("" (expand "subgraph?") (("" (rewrite "card_subset[T]") nil nil))
          nil))
        nil))
      nil)
     proved
     ((size const-decl "nat" graphs nil)
      (card_subset formula-decl nil finite_sets nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (is_finite const-decl "bool" finite_sets nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (pregraph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (graph type-eq-decl nil graphs nil) (T formal-type-decl nil subgraphs nil
 )
      (subgraph? const-decl "bool" subgraphs nil))
     110 90 nil nil)))
  
  
  $$$path_ops.pvs
  path_ops[T: TYPE]: THEORY
  BEGIN
  
     IMPORTING paths[T], subgraphs[T], sep_sets[T], graph_ops[T]
  
     G: VAR graph[T]
     v,s,t: VAR T
     e: VAR doubleton[T]
     W,V: VAR finite_set[T]
     w: VAR prewalk
     i,j: VAR nat
  
     walk?_del_vert     : LEMMA walk?(del_vert(G, v), w) IMPLIES walk?[T](G, w)
  
     walk?_del_vert_not : LEMMA walk?(G, w) AND NOT verts_of(w)(v)
                                            IMPLIES walk?(del_vert(G, v), w)
  
  
     path?_del_vert     : LEMMA FORALL (w: prewalk): path?(del_vert(G, v), w) 
                                                         IMPLIES path?[T](G, w)
  
     path?_del_verts    : LEMMA FORALL (w: prewalk): path?(del_verts(G, W), w) 
                                                         IMPLIES path?[T](G, w)
    
  
     IMPORTING walk_inductions[T]
  
     walk_to_path      : LEMMA (EXISTS (w: prewalk): walk_from?(G,w,s,t)) IMPLI
 ES
                                   (EXISTS (p: prewalk): path?(G,p) and
                                                     walk_from?(G,p,s,t))
  
  
  
     walk_to_path_from : LEMMA walk_from?(G,w,s,t) IMPLIES
                                   (EXISTS (p: prewalk): path_from?(G,p,s,t))
  
  
      path_edge_once: LEMMA path?(G,w) AND i<l(w)-1 AND j<l(w)-1 
                            AND dbl(w(i),w(i+1))=dbl(w(j),w(j+1)) IMPLIES i=j
  
  
  %  AUTO_REWRITE+ walk?_del_vert      % walk?(del_vert(G,v),w) -> walk?[T](G, 
 w)
  %  AUTO_REWRITE+ walk?_del_vert_not
  %  AUTO_REWRITE+ path?_del_vert      % path?(del_vert(G,v),w) -> path?[T](G, 
 w)
  %  AUTO_REWRITE+ path?_del_verts     % path?(del_verts(G,W),w)-> path?[T](G, 
 w)
  
  
  END path_ops
  
  
  
  
  
  
  
  
  $$$path_ops.prf
  (|path_ops|
   (|walk?_del_vert| "" (SKOSIMP*)
    (("" (EXPAND "walk?")
      (("" (FLATTEN)
        (("" (PROP)
          (("1" (HIDE -2)
            (("1" (EXPAND "verts_in?")
              (("1" (SKOSIMP*)
                (("1" (INST?) (("1" (GRIND) NIL NIL)) NIL)) NIL))
              NIL))
            NIL)
           ("2" (HIDE -1)
            (("2" (SKOSIMP*)
              (("2" (INST?)
                (("2" (ASSERT)
                  (("2" (LEMMA "edges_del_vert")
                    (("2" (EXPAND "edge?")
                      (("2" (FLATTEN)
                        (("2" (INST?)
                          (("1" (ASSERT) NIL NIL)
                           ("2" (INST?) (("2" (ASSERT) NIL NIL)) NIL))
                          NIL))
                        NIL))
                      NIL))
                    NIL))
                  NIL))
                NIL))
              NIL))
            NIL))
          NIL))
        NIL))
      NIL))
    NIL)
   (|walk?_del_vert_not| "" (SKOSIMP*)
    (("" (EXPAND "walk?")
      (("" (FLATTEN)
        (("" (PROP)
          (("1" (HIDE -2)
            (("1" (EXPAND "verts_in?")
              (("1" (SKOSIMP*)
                (("1" (EXPAND "verts_of")
                  (("1" (INST 2 "i!1")
                    (("1" (EXPAND "fseq")
                      (("1" (INST?)
                        (("1" (EXPAND "del_vert")
                          (("1" (EXPAND "remove")
                            (("1" (EXPAND "member")
                              (("1" (ASSERT) NIL NIL)) NIL))
                            NIL))
                          NIL))
                        NIL))
                      NIL))
                    NIL))
                  NIL))
                NIL))
              NIL))
            NIL)
           ("2" (SKOSIMP*)
            (("2" (INST?)
              (("2" (HIDE -2)
                (("2" (EXPAND "del_vert")
                  (("2" (EXPAND "edge?")
                    (("2" (ASSERT)
                      (("2" (FLATTEN)
                        (("2" (ASSERT)
                          (("2" (EXPAND "verts_of")
                            (("2" (EXPAND "dbl")
                              (("2" (HIDE -3 1)
                                (("2"
                                  (SPLIT)
                                  (("1"
                                    (INST?)
                                    (("1" (ASSERT) NIL NIL))
                                    NIL)
                                   ("2"
                                    (INST?)
                                    (("2" (ASSERT) NIL NIL))
                                    NIL))
                                  NIL))
                                NIL))
                              NIL))
                            NIL))
                          NIL))
                        NIL))
                      NIL))
                    NIL))
                  NIL))
                NIL))
              NIL))
            NIL))
          NIL))
        NIL))
      NIL))
    NIL)
   (|path?_del_vert| "" (SKOSIMP*)
    (("" (EXPAND "path?")
      (("" (FLATTEN)
        (("" (LEMMA "walk?_del_vert")
          (("" (INST?) (("" (ASSERT) NIL NIL)) NIL)) NIL))
        NIL))
      NIL))
    NIL)
   (|path?_del_verts| "" (SKOSIMP*)
    (("" (EXPAND "path?")
      (("" (FLATTEN)
        (("" (SPLIT +)
          (("1" (HIDE -2)
            (("1" (EXPAND "walk?")
              (("1" (FLATTEN)
                (("1" (SPLIT +)
                  (("1" (HIDE -2)
                    (("1" (EXPAND "verts_in?")
                      (("1" (EXPAND "del_verts")
                        (("1" (EXPAND "difference")
                          (("1" (EXPAND "member")
                            (("1" (SKOSIMP*)
                              (("1" (INST?) (("1" (ASSERT) NIL NIL))
                                NIL))
                              NIL))
                            NIL))
                          NIL))
                        NIL))
                      NIL))
                    NIL)
                   ("2" (SKOSIMP*)
                    (("2" (EXPAND "fseq")
                      (("2" (INST?)
                        (("2" (ASSERT)
                          (("2" (EXPAND "edge?")
                            (("2" (FLATTEN)
                              (("2" (ASSERT)
                                (("2"
                                  (EXPAND "del_verts")
                                  (("2" (PROPAX) NIL NIL))
                                  NIL))
                                NIL))
                              NIL))
                            NIL))
                          NIL))
                        NIL))
                      NIL))
                    NIL))
                  NIL))
                NIL))
              NIL))
            NIL)
           ("2" (PROPAX) NIL NIL))
          NIL))
        NIL))
      NIL))
    NIL)
   (|walk_to_path| "" (SKOLEM!)
    ((""
      (CASE "FORALL (w: prewalk): NOT walk_from?(G!1, w, s!1, t!1)
             OR (EXISTS (p: prewalk): path?(G!1, p) AND walk_from?(G!1, p, s!1,
  t!1))")
      (("1" (FLATTEN)
        (("1" (SKOSIMP*)
          (("1" (INST -1 "w!1") (("1" (ASSERT) NIL NIL)) NIL)) NIL))
        NIL)
       ("2" (HIDE 2)
        (("2" (INDUCT "w" 1 "graph_induction_walk")
          (("2" (SKOSIMP*)
            (("2"
              (CASE "(EXISTS (i,j: below(l(w!1))): i /= j AND seq(w!1)(i) = seq
 (w!1)(j))")
              (("1" (SKOSIMP*)
                (("1" (CASE "i!1 < j!1")
                  (("1" (INST -3 "w!1^(0,i!1) o w!1^(j!1+1,l(w!1)-1)")
                    (("1" (SPLIT -3)
                      (("1" (REWRITE "walk?_cut") NIL NIL)
                       ("2" (PROPAX) NIL NIL)
                       ("3" (HIDE -2 -3 3)
                        (("3" (EXPAND "o ")
                          (("3" (EXPAND "^")
                            (("3" (EXPAND "emptyseq")
                              (("3" (LIFT-IF) (("3" (GROUND) NIL NIL))
                                NIL))
                              NIL))
                            NIL))
                          NIL))
                        NIL))
                      NIL)
                     ("2" (EXPAND "o ")
                      (("2" (EXPAND "^")
                        (("2" (LIFT-IF)
                          (("2" (EXPAND "emptyseq")
                            (("2" (PROPAX) NIL NIL)) NIL))
                          NIL))
                        NIL))
                      NIL))
                    NIL)
                   ("2" (ASSERT)
                    (("2" (INST -2 "w!1^(0,j!1) o w!1^(i!1+1,l(w!1)-1)")
                      (("1" (ASSERT)
                        (("1" (SPLIT -2)
                          (("1" (HIDE 4)
                            (("1" (REWRITE "walk?_cut") NIL NIL)) NIL)
                           ("2" (PROPAX) NIL NIL)
                           ("3" (EXPAND "o ")
                            (("3" (EXPAND "^")
                              (("3" (LIFT-IF)
                                (("3"
                                  (EXPAND "emptyseq")
                                  (("3" (PROPAX) NIL NIL))
                                  NIL))
                                NIL))
                              NIL))
                            NIL))
                          NIL))
                        NIL)
                       ("2" (EXPAND "o ")
                        (("2" (EXPAND "^")
                          (("2" (EXPAND "emptyseq")
                            (("2" (LIFT-IF) (("2" (GROUND) NIL NIL))
                              NIL))
                            NIL))
                          NIL))
                        NIL))
                      NIL))
                    NIL))
                  NIL))
                NIL)
               ("2" (HIDE -1)
                (("2" (INST 2 "w!1")
                  (("2" (ASSERT)
                    (("2" (EXPAND "path?")
                      (("2" (EXPAND "walk_from?")
                        (("2" (FLATTEN)
                          (("2" (ASSERT)
                            (("2" (SKOSIMP*)
                              (("2" (EXPAND "fseq")
                                (("2"
                                  (INST?)
                                  (("2" (ASSERT) NIL NIL))
                                  NIL))
                                NIL))
                              NIL))
                            NIL))
                          NIL))
                        NIL))
                      NIL))
                    NIL))
                  NIL))
                NIL))
              NIL))
            NIL))
          NIL))
        NIL))
      NIL))
    NIL)
   (|walk_to_path_from| "" (SKOSIMP*)
    (("" (LEMMA "walk_to_path")
      (("" (INST?)
        (("" (INST -1 "s!1" "t!1")
          (("" (SPLIT -1)
            (("1" (SKOSIMP*)
              (("1" (INST?)
                (("1" (EXPAND "path_from?")
                  (("1" (ASSERT)
                    (("1" (EXPAND "walk_from?")
                      (("1" (FLATTEN)
                        (("1" (EXPAND "from?") (("1" (ASSERT) NIL NIL))
                          NIL))
                        NIL))
                      NIL))
                    NIL))
                  NIL))
                NIL))
              NIL)
             ("2" (INST?) NIL NIL))
            NIL))
          NIL))
        NIL))
      NIL))
    NIL)
   (|path_edge_once_TCC1| "" (SUBTYPE-TCC) NIL NIL)
   (|path_edge_once_TCC2| "" (SUBTYPE-TCC) NIL NIL)
   (|path_edge_once_TCC3| "" (SUBTYPE-TCC) NIL NIL)
   (|path_edge_once_TCC4| "" (SUBTYPE-TCC) NIL NIL)
   (|path_edge_once| "" (EXPAND "fseq")
    (("" (SKOSIMP*)
      (("" (EXPAND "path?")
        (("" (EXPAND "fseq")
          (("" (FLATTEN)
            (("" (INST-CP -2 "i!1" "j!1")
              (("1" (INST-CP -2 "i!1" "j!1+1")
                (("1" (INST-CP -2 "i!1+1" "j!1+1")
                  (("1" (INST-CP -2 "i!1+1" "j!1")
                    (("1" (HIDE -1 -2)
                      (("1" (ASSERT)
                        (("1" (GRIND)
                          (("1" (LEMMA "dbl_eq")
                            (("1" (INST? -1) (("1" (BDDSIMP) NIL NIL))
                              NIL))
                            NIL)
                           ("2" (LEMMA "dbl_eq")
                            (("2" (INST? -1) (("2" (BDDSIMP) NIL NIL))
                              NIL))
                            NIL)
                           ("3" (LEMMA "dbl_eq")
                            (("3" (INST? -1) (("3" (BDDSIMP) NIL NIL))
                              NIL))
                            NIL))
                          NIL))
                        NIL))
                      NIL)
                     ("2" (ASSERT) NIL NIL) ("3" (ASSERT) NIL NIL))
                    NIL)
                   ("2" (ASSERT) NIL NIL) ("3" (ASSERT) NIL NIL))
                  NIL)
                 ("2" (ASSERT) NIL NIL) ("3" (ASSERT) NIL NIL))
                NIL)
               ("2" (ASSERT) NIL NIL) ("3" (ASSERT) NIL NIL))
              NIL))
            NIL))
          NIL))
        NIL))
      NIL))
    NIL))
  
  
  $$$graph_ops.pvs
  %------------------------------------------------------------------------
  % 
  %  Operations on a graph
  %  ------------------------------------------------
  %
  %      Author: Ricky W. Butler   NASA Langley Research Center
  %
  %  Defines:
  %
  %      union(G1,G2)      -- creates graph that is a union of G1 and G2  
  %
  %      del_vert(G,v)     -- removes a vertex and all adjacent edges from a gr
 aph
  %
  %      del_edge(e,G)     --  creates subgraph with edge e removed
  %   
  %      num_edges(G): nat --  number of edges in a graph
  %
  %------------------------------------------------------------------------
  graph_ops[T: TYPE]: THEORY
  
  BEGIN
  
     IMPORTING graphs[T]
  
     G, G1, G2: VAR graph[T]
     t1,t2: VAR T
     x,v: VAR T
     e,e2: VAR doubleton[T]
  
     union(G1,G2): graph[T] = (# vert := union(vert(G1),vert(G2)),
                                 edges := union(edges(G1),edges(G2)) #)
   
     del_vert(G: graph[T], v: T): graph[T] = 
                          (# vert := remove[T](v,vert(G)),
                             edges := {e | edges(G)(e) AND NOT e(v)} #)
                              
     del_edge(G,e): graph[T] = G WITH [edges := remove(e,edges(G))]
  
     num_edges(G): nat = card(edges(G))
  
  %  --------------------- del_vert(G,v) lemmas ----------------
  
     del_vert_still_in   : LEMMA FORALL (x: (vert(G))):
                                       x /= v IMPLIES vert(del_vert(G, v))(x)
  
     size_del_vert       : LEMMA FORALL (v: (vert(G))):
                                     size(del_vert(G,v)) = size(G) - 1
  
     del_vert_le         : LEMMA size(del_vert(G,v)) <= size(G) 
  
     del_vert_ge         : LEMMA size(del_vert(G,v)) >= size(G) - 1
  
     edge_in_del_vert    : LEMMA (edges(G)(e) AND NOT e(v)) IMPLIES
                                   edges(del_vert(G,v))(e)
     
     edges_del_vert      : LEMMA edges(del_vert(G,v))(e) IMPLIES
                                         edges(G)(e)
  
     del_vert_comm       : LEMMA del_vert(del_vert(G, x), v) =
                                      del_vert(del_vert(G, v), x)
  
     del_vert_empty?     : LEMMA FORALL (v: (vert(G))): 
                                    empty?(vert(del_vert(G, v))) IMPLIES
                                        singleton?(G)
  
  
  
  %  ---------- del_edge(G,e) ----------------------------------
  
     del_edge_lem       : LEMMA NOT member(e,edges(del_edge(G,e)))
    
     del_edge_lem2      : LEMMA edges(del_edge(G,e))(e2)
                      		    IMPLIES edges(G)(e2)
    
     del_edge_lem3      : LEMMA edges(G)(e2) AND e2 /= e IMPLIES
                      		    edges(del_edge(G,e))(e2) 
    
     del_edge_lem5      : LEMMA NOT edges(G)(e) IMPLIES del_edge(G, e) = G
  
     vert_del_edge      : LEMMA vert(del_edge(G,e)) = vert(G)
    
     del_edge_num       : LEMMA num_edges(del_edge(G,e)) = num_edges(G) 
                                         - IF edges(G)(e) THEN 1 ELSE 0 ENDIF
  
     del_edge_singleton : LEMMA singleton?(del_edge(G,e)) IMPLIES singleton?(G)
  
  
     del_vert_edge_comm : LEMMA del_vert(del_edge(G, e), v) = 
                                 del_edge(del_vert(G, v), e)
  
     del_vert_edge      : LEMMA e(v) IMPLIES
                                 del_vert(del_edge(G,e),v) = del_vert(G,v)
  
  
  %  --------------- Automatically turn on some simplifications -----
  
  %  AUTO_REWRITE+ del_vert_still_in   % x /= v IMPLIES vert(del_vert(G, v))(x)
  %  AUTO_REWRITE+ size_del_vert       % size(del_vert(G,v)) = size(G) - 1
  %  AUTO_REWRITE+ del_edge_lem2       % edges(del_edge(G,e))(e2) -> edges(G)(e
 2)
  %  AUTO_REWRITE+ vert_del_edge       % vert(del_edge(G,e)) = vert(G)
  
  %  --- following breaks alot of proofs
  %  AUTO_REWRITE+ edges_del_vert      % edges(del_vert(G,v))(e) -> edges(G)(e)
  
  END graph_ops
  
  
  $$$graph_ops.prf
  (graph_ops
   (union_TCC1 0
    (union_TCC1-1 nil 3251040627 3251046062
     ("" (skosimp*)
      (("" (expand "union")
        (("" (expand "member")
          (("" (flatten)
            (("" (prop)
              (("1" (typepred "G1!1")
                (("1" (inst?)
                  (("1" (assert) (("1" (inst?) (("1" (assert) nil nil)) nil))
                    nil))
                  nil))
                nil)
               ("2" (typepred "G2!1")
                (("2" (inst?)
                  (("2" (assert) (("2" (inst?) (("2" (assert) nil nil)) nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((union const-decl "set" sets nil) (graph type-eq-decl nil graphs nil)
      (pregraph type-eq-decl nil graphs nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil) (T formal-type-decl nil graph_ops nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (member const-decl "bool" sets nil))
     49094 5400 t nil))
   (del_vert_TCC1 0
    (del_vert_TCC1-1 nil 3251040627 3251046090
     ("" (skosimp*)
      (("" (expand "remove")
        (("" (expand "member")
          (("" (typepred "G!1")
            (("" (inst?)
              (("" (assert) (("" (inst?) (("" (assert) nil nil)) nil)) nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((remove const-decl "set" sets nil) (graph type-eq-decl nil graphs nil)
      (pregraph type-eq-decl nil graphs nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil) (T formal-type-decl nil graph_ops nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (member const-decl "bool" sets nil))
     21349 2850 t nil))
   (del_edge_TCC1 0
    (del_edge_TCC1-1 nil 3251040627 3251040784
     ("" (skosimp*)
      (("" (expand "remove")
        (("" (flatten)
          (("" (expand "member")
            (("" (typepred "G!1")
              (("" (inst?)
                (("" (assert) (("" (inst?) (("" (assert) nil))))))))))))))))
      nil)
     proved
     ((remove const-decl "set" sets nil) (member const-decl "bool" sets nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (T formal-type-decl nil graph_ops nil) (set type-eq-decl nil sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (pregraph type-eq-decl nil graphs nil)
      (graph type-eq-decl nil graphs nil))
     88 70 nil nil))
   (del_vert_still_in 0
    (del_vert_still_in-1 nil 3251040627 3251040784
     ("" (skosimp*)
      (("" (expand "del_vert")
        (("" (expand "remove") (("" (expand "member") (("" (assert) nil))))))))
      nil)
     proved
     ((del_vert const-decl "graph[T]" graph_ops nil)
      (member const-decl "bool" sets nil) (remove const-decl "set" sets nil))
     65 50 nil nil))
   (size_del_vert 0
    (size_del_vert-1 nil 3251040627 3251040784
     ("" (skosimp*)
      (("" (typepred "v!1")
        (("" (expand "del_vert")
          (("" (expand "size") (("" (rewrite "card_remove") nil))))))))
      nil)
     proved
     ((graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (pregraph type-eq-decl nil graphs nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil) (T formal-type-decl nil graph_ops nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (size const-decl "nat" graphs nil)
      (card_remove formula-decl nil finite_sets nil)
      (is_finite const-decl "bool" finite_sets nil)
      (del_vert const-decl "graph[T]" graph_ops nil))
     135 120 nil nil))
   (del_vert_le 0
    (del_vert_le-1 nil 3251040627 3251040784
     ("" (skosimp*)
      (("" (expand "size")
        (("" (expand "del_vert")
          (("" (rewrite "card_remove")
            (("" (lift-if) (("" (ground) nil))))))))))
      nil)
     proved
     ((size const-decl "nat" graphs nil)
      (card_remove formula-decl nil finite_sets nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (is_finite const-decl "bool" finite_sets nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (pregraph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (graph type-eq-decl nil graphs nil) (T formal-type-decl nil graph_ops nil
 )
      (del_vert const-decl "graph[T]" graph_ops nil))
     154 140 nil nil))
   (del_vert_ge 0
    (del_vert_ge-1 nil 3251040627 3251040785
     ("" (skosimp*)
      (("" (expand "size")
        (("" (expand "del_vert")
          (("" (rewrite "card_remove")
            (("" (lift-if) (("" (ground) nil))))))))))
      nil)
     proved
     ((size const-decl "nat" graphs nil)
      (card_remove formula-decl nil finite_sets nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (is_finite const-decl "bool" finite_sets nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (pregraph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (graph type-eq-decl nil graphs nil) (T formal-type-decl nil graph_ops nil
 )
      (del_vert const-decl "graph[T]" graph_ops nil))
     158 140 nil nil))
   (edge_in_del_vert 0
    (edge_in_del_vert-1 nil 3251040627 3251040785
     ("" (skosimp*) (("" (expand "del_vert") (("" (assert) nil)))) nil) proved
     ((del_vert const-decl "graph[T]" graph_ops nil)) 62 40 nil nil))
   (edges_del_vert 0
    (edges_del_vert-1 nil 3251040627 3251040785
     ("" (skosimp*)
      (("" (expand "del_vert") (("" (flatten) (("" (propax) nil)))))) nil)
     proved ((del_vert const-decl "graph[T]" graph_ops nil)) 36 40 nil nil))
   (del_vert_comm 0
    (del_vert_comm-1 nil 3251040627 3251040785
     ("" (skosimp*)
      (("" (apply-extensionality 1 :hide? t)
        (("1" (expand "del_vert")
          (("1" (apply-extensionality 1 :hide? t)
            (("1" (iff 1) (("1" (ground) nil)))))))
         ("2" (expand "del_vert")
          (("2" (apply-extensionality 1 :hide? t) (("2" (grind) nil))))))))
      nil)
     proved
     ((T formal-type-decl nil graph_ops nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (pregraph type-eq-decl nil graphs nil)
      (del_vert const-decl "graph[T]" graph_ops nil)
      (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (remove const-decl "set" sets nil) (member const-decl "bool" sets nil))
     325 220 nil nil))
   (del_vert_empty? 0
    (del_vert_empty?-1 nil 3251040627 3251040785
     ("" (skosimp*)
      (("" (lemma "card_empty?[T]")
        (("" (inst?)
          (("" (replace -1 * rl)
            (("" (hide -1)
              (("" (expand "singleton?")
                (("" (expand "size")
                  (("" (lemma "size_del_vert")
                    (("" (inst?)
                      (("" (expand "size") (("" (assert) nil)))))))))))))))))))
 )
      nil)
     proved
     ((T formal-type-decl nil graph_ops nil)
      (card_empty? formula-decl nil finite_sets nil)
      (singleton? const-decl "bool" graphs nil)
      (size_del_vert formula-decl nil graph_ops nil)
      (size const-decl "nat" graphs nil)
      (del_vert const-decl "graph[T]" graph_ops nil)
      (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (pregraph type-eq-decl nil graphs nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (is_finite const-decl "bool" finite_sets nil)
      (set type-eq-decl nil sets nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil))
     163 120 nil nil))
   (del_edge_lem 0
    (del_edge_lem-1 nil 3251040627 3251040785
     ("" (skosimp*)
      (("" (expand "member")
        (("" (expand "del_edge")
          (("" (expand "remove") (("" (propax) nil))))))))
      nil)
     proved
     ((member const-decl "bool" sets nil) (remove const-decl "set" sets nil)
      (del_edge const-decl "graph[T]" graph_ops nil))
     62 30 nil nil))
   (del_edge_lem2 0
    (del_edge_lem2-1 nil 3251040627 3251040785
     ("" (skosimp*) (("" (grind) nil)) nil) proved
     ((remove const-decl "set" sets nil) (member const-decl "bool" sets nil)
      (/= const-decl "boolean" notequal nil)
      (del_edge const-decl "graph[T]" graph_ops nil))
     111 70 nil nil))
   (del_edge_lem3 0
    (del_edge_lem3-1 nil 3251040627 3251040785
     ("" (skosimp*) (("" (grind) nil)) nil) proved
     ((remove const-decl "set" sets nil) (member const-decl "bool" sets nil)
      (del_edge const-decl "graph[T]" graph_ops nil))
     106 70 nil nil))
   (del_edge_lem5 0
    (del_edge_lem5-1 nil 3251040627 3251040786
     ("" (skosimp*)
      (("" (apply-extensionality 2 :hide? t)
        (("1" (apply-extensionality 1 :hide? t)
          (("1" (expand "del_edge") (("1" (grind) nil)))))
         ("2" (expand "del_edge") (("2" (propax) nil))))))
      nil)
     proved
     ((T formal-type-decl nil graph_ops nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (pregraph type-eq-decl nil graphs nil)
      (del_edge const-decl "graph[T]" graph_ops nil)
      (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (member const-decl "bool" sets nil) (remove const-decl "set" sets nil))
     172 160 nil nil))
   (vert_del_edge 0
    (vert_del_edge-1 nil 3251040627 3251040786 ("" (grind) nil nil) proved
     ((del_edge const-decl "graph[T]" graph_ops nil)) 52 30 nil nil))
   (del_edge_num 0
    (del_edge_num-1 nil 3251040627 3251040786
     ("" (skosimp*)
      (("" (expand "num_edges")
        (("" (case-replace "edges(del_edge(G!1,e!1)) = remove(e!1,edges(G!1))")
          (("1" (rewrite "card_remove[doubleton[T]]") nil)
           ("2" (hide 2)
            (("2" (apply-extensionality :hide? t)
              (("2" (iff 1)
                (("2" (prop)
                  (("1" (lemma "del_edge_lem2")
                    (("1" (inst?)
                      (("1" (lemma "del_edge_lem")
                        (("1" (inst?)
                          (("1" (expand "member")
                            (("1" (assert)
                              (("1" (grind :exclude ("edges" "del_edge"))
                                nil)))))))))))))
                   ("2" (rewrite "del_edge_lem3")
                    (("1" (hide 2) (("1" (grind :exclude "edges") nil)))
                     ("2" (hide 2)
                      (("2" (grind :exclude "edges") nil))))))))))))))))))
      nil)
     proved
     ((num_edges const-decl "nat" graph_ops nil)
      (del_edge_lem3 formula-decl nil graph_ops nil)
      (del_edge_lem2 formula-decl nil graph_ops nil)
      (del_edge_lem formula-decl nil graph_ops nil)
      (member const-decl "bool" sets nil)
      (is_finite const-decl "bool" finite_sets nil)
      (card_remove formula-decl nil finite_sets nil)
      (remove const-decl "set" sets nil)
      (del_edge const-decl "graph[T]" graph_ops nil)
      (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (pregraph type-eq-decl nil graphs nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (T formal-type-decl nil graph_ops nil))
     337 290 nil nil))
   (del_edge_singleton 0
    (del_edge_singleton-1 nil 3251040627 3251040786
     ("" (skosimp*)
      (("" (expand "singleton?")
        (("" (expand "size") (("" (expand "del_edge") (("" (propax) nil))))))))
      nil)
     proved
     ((singleton? const-decl "bool" graphs nil)
      (del_edge const-decl "graph[T]" graph_ops nil)
      (size const-decl "nat" graphs nil))
     81 70 nil nil))
   (del_vert_edge_comm 0
    (del_vert_edge_comm-1 nil 3251040627 3251040786
     ("" (skosimp*)
      (("" (apply-extensionality 1 :hide? t)
        (("1" (apply-extensionality :hide? t) (("1" (grind) nil)))
         ("2" (expand "del_edge")
          (("2" (expand "del_vert") (("2" (propax) nil))))))))
      nil)
     proved
     ((T formal-type-decl nil graph_ops nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (pregraph type-eq-decl nil graphs nil)
      (del_edge const-decl "graph[T]" graph_ops nil)
      (del_vert const-decl "graph[T]" graph_ops nil)
      (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (member const-decl "bool" sets nil) (remove const-decl "set" sets nil))
     243 220 nil nil))
   (del_vert_edge 0
    (del_vert_edge-1 nil 3251040627 3251040787
     ("" (skosimp*)
      (("" (rewrite "del_vert_edge_comm")
        (("" (apply-extensionality 1 :hide? t)
          (("1" (apply-extensionality 1 :hide? t) (("1" (grind) nil)))
           ("2" (expand "del_edge") (("2" (propax) nil))))))))
      nil)
     proved
     ((del_vert_edge_comm formula-decl nil graph_ops nil)
      (T formal-type-decl nil graph_ops nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (pregraph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (graph type-eq-decl nil graphs nil) (member const-decl "bool" sets nil)
      (remove const-decl "set" sets nil)
      (del_edge const-decl "graph[T]" graph_ops nil)
      (del_vert const-decl "graph[T]" graph_ops nil))
     386 250 nil nil)))
  
  
  $$$graph_deg.pvs
  graph_deg[T: TYPE]: THEORY
  %------------------------------------------------------------------------
  % 
  %  Defines degree of a vertex
  %  ------------------------------------------------
  %
  %      Author: Ricky W. Butler   NASA Langley Research Center
  %
  %  Defines:
  %
  %    incident_edges(v,G) -- returns set of edges attached to vertex v
  %
  %    deg(v,G)          -- number of edges attached to vertex v    
  %
  %------------------------------------------------------------------------
  
  BEGIN
  
     IMPORTING graphs[T], graph_ops[T]
  
     v: VAR T
     G,GS: VAR graph[T]
  
     incident_edges(v,G)  : finite_set[doubleton[T]] 
                                = {e: doubleton[T] | edges(G)(e) AND e(v)}
  
     incident_edges_subset: LEMMA subset?(incident_edges(v,G),edges(G))
  
     deg(v,G): nat = card(incident_edges(v,G))
  
     P : VAR pred[graph[T]]
     n : VAR nat
     e: VAR doubleton[T]
     x,y: VAR T
  
     incident_edges_emptyset: LEMMA edges(G) = emptyset[doubleton[T]] IMPLIES
                                      incident_edges(v,G) = emptyset[doubleton[
 T]]
  
  
     deg_del_edge    : LEMMA e = dbl(x,y) AND edges(G)(e) IMPLIES  
                               deg(y, G) = deg(y, del_edge(G, e)) + 1
  
     deg_del_edge2   : LEMMA e(y) AND edges(G)(e) IMPLIES  
                               deg(y, G) = deg(y, del_edge(G, e)) + 1
  
  
     deg_del_edge3   : LEMMA NOT e(y)  IMPLIES  
                                deg(y, G) = deg(y, del_edge(G, e))
  
     deg_del_edge_ge : LEMMA deg(y, G) >= deg(y, del_edge(G, e))
  
  
     deg_del_edge_le : LEMMA deg(y, G) - 1 <= deg(y, del_edge(G, e))
  
     deg_edge_exists       : LEMMA deg(v,G) > 0 IMPLIES
                               (EXISTS e: e(v) AND edges(G)(e))
        
     deg_to_card     : LEMMA deg(v,G) > 0 IMPLIES size(G) >= 2
  
     del_vert_deg_0  : LEMMA deg(v,G) = 0 IMPLIES 
                                 edges(del_vert(G,v)) = edges(G)
  
     deg_del_vert: LEMMA x /= v AND edges(G)(dbl[T](x, v))  
                                  IMPLIES deg(v, del_vert(G, x)) = 
                                             deg(v, G) - 1
  
     del_vert_not_incident: LEMMA x /= v AND NOT edges(G)(dbl[T](x, v)) IMPLIES
                                         deg(x, del_vert(G, v)) = deg(x, G)
  
     singleton_deg: LEMMA singleton?(G) IMPLIES deg(v, G) = 0
  
     deg_1_sing   : LEMMA deg(v, G) = 1 IMPLIES 
                             (EXISTS e: incident_edges(v, G) = singleton(e) AND
                                        e(v) AND edges(G)(e))
  
      isol_deg_0: LEMMA isolated?(G) IFF (FORALL (v:(vert(G))):deg(v,G) =0)
  
   
  END graph_deg
  
  
  
  
  $$$graph_deg.prf
  (|graph_deg|
   (|incident_edges_TCC1| "" (SKOSIMP*)
    (("" (LEMMA "finite_subset[doubleton[T]]")
      (("" (INST?)
        (("" (INST -1 "edges(G!1)")
          (("" (ASSERT) (("" (HIDE 2) (("" (GRIND) NIL NIL)) NIL)) NIL))
          NIL))
        NIL))
      NIL))
    NIL)
   (|incident_edges_subset| "" (GRIND) NIL)
   (|incident_edges_emptyset| "" (SKOSIMP*)
    (("" (APPLY-EXTENSIONALITY 1 :HIDE? T)
      (("" (EXPAND "emptyset")
        (("" (EXPAND "incident_edges") (("" (GROUND) NIL)))))))))
   (|deg_del_edge| "" (SKOSIMP*)
    (("" (EXPAND "deg")
      ((""
        (CASE-REPLACE "incident_edges(y!1, del_edge(G!1,e!1)) = 
                       remove(e!1,incident_edges(y!1, G!1))")
        (("1" (REWRITE "card_remove[doubleton[T]]")
          (("1" (LIFT-IF)
            (("1" (GROUND)
              (("1" (HIDE -1 2)
                (("1" (HIDE -2) (("1" (GRIND) NIL)))))))))))
         ("2" (HIDE 2)
          (("2" (APPLY-EXTENSIONALITY 1 :HIDE? T)
            (("2" (IFF 1)
              (("2" (PROP)
                (("1" (EXPAND "incident_edges")
                  (("1" (GROUND)
                    (("1" (EXPAND "remove")
                      (("1" (EXPAND "member")
                        (("1" (GROUND)
                          (("1" (REPLACE -1)
                            (("1" (HIDE -1)
                              (("1" (LEMMA "del_edge_lem[T]")
                                (("1"
                                  (INST?)
                                  (("1"
                                    (EXPAND "member")
                                    (("1" (PROPAX) NIL)))))))))))
                           ("2" (LEMMA "del_edge_lem2[T]")
                            (("2" (INST?)
                              (("2" (ASSERT) NIL)))))))))))))))
                 ("2" (EXPAND "incident_edges")
                  (("2" (EXPAND "remove")
                    (("2" (FLATTEN)
                      (("2" (EXPAND "member")
                        (("2" (GROUND)
                          (("2" (REWRITE "del_edge_lem3")
                            NIL)))))))))))))))))))))))))
   (|deg_del_edge2| "" (SKOSIMP*)
    (("" (LEMMA "deg_del_edge")
      (("" (INST?)
        (("" (TYPEPRED "e!1")
          (("" (SKOSIMP*)
            (("" (CASE "x!1=y!1")
              (("1" (REPLACE -1)
                (("1" (HIDE -1)
                  (("1" (INST -2 "y!2")
                    (("1" (SPLIT -2)
                      (("1" (PROPAX) NIL)
                       ("2" (REPLACE -1)
                        (("2" (HIDE -1)
                          (("2" (HIDE -1 -2 3)
                            (("2" (EXPAND "dbl")
                              (("2" (APPLY-EXTENSIONALITY :HIDE? T)
                                (("2"
                                  (IFF 1)
                                  (("2" (GROUND) NIL)))))))))))))
                       ("3" (PROPAX) NIL)))))))))
               ("2" (CASE "y!2 = y!1")
                (("1" (REPLACE -1)
                  (("1" (HIDE -1)
                    (("1" (INST -2 "x!1") (("1" (ASSERT) NIL)))))))
                 ("2" (HIDE -2 -4 4)
                  (("2" (REPLACE -1)
                    (("2" (HIDE -1)
                      (("2" (EXPAND "dbl")
                        (("2" (GROUND) NIL)))))))))))))))))))))))
   (|deg_del_edge3| "" (SKOSIMP*)
    (("" (EXPAND "deg")
      ((""
        (CASE "incident_edges(y!1, G!1) = incident_edges(y!1, del_edge(G!1, e!1
 ))")
        (("1" (ASSERT) NIL)
         ("2" (HIDE 3)
          (("2" (APPLY-EXTENSIONALITY 1 :HIDE? T)
            (("2" (EXPAND "incident_edges")
              (("2" (IFF 1)
                (("2" (GROUND)
                  (("1" (LEMMA "del_edge_lem3[T]")
                    (("1" (INST?) (("1" (ASSERT) NIL)))))
                   ("2" (LEMMA "del_edge_lem2[T]")
                    (("2" (INST?) (("2" (ASSERT) NIL)))))))))))))))))))))
   (|deg_del_edge_ge| "" (SKOSIMP*)
    (("" (CASE "e!1(y!1)")
      (("1" (LEMMA "deg_del_edge2")
        (("1" (INST?)
          (("1" (ASSERT)
            (("1" (LEMMA "del_edge_lem5[T]")
              (("1" (INST?) (("1" (ASSERT) NIL)))))))))))
       ("2" (LEMMA "deg_del_edge3")
        (("2" (INST?) (("2" (ASSERT) NIL)))))))))
   (|deg_del_edge_le| "" (SKOSIMP*)
    (("" (CASE "e!1(y!1)")
      (("1" (LEMMA "deg_del_edge2")
        (("1" (INST?)
          (("1" (ASSERT)
            (("1" (LEMMA "del_edge_lem5[T]")
              (("1" (INST?) (("1" (ASSERT) NIL)))))))))))
       ("2" (LEMMA "deg_del_edge3")
        (("2" (INST?) (("2" (ASSERT) NIL)))))))))
   (|deg_edge_exists| "" (SKOSIMP*)
    (("" (EXPAND "deg")
      (("" (REWRITE "nonempty_card[doubleton[T]]" :DIR RL)
        (("" (EXPAND "nonempty?")
          (("" (EXPAND "empty?")
            (("" (EXPAND "incident_edges")
              (("" (SKOSIMP*)
                (("" (EXPAND "member")
                  (("" (INST?)
                    (("" (FLATTEN) (("" (ASSERT) NIL)))))))))))))))))))))
   (|deg_to_card| "" (SKOSIMP*)
    (("" (LEMMA "deg_edge_exists")
      (("" (INST?)
        (("" (ASSERT)
          (("" (SKOSIMP*)
            (("" (HIDE -1 -3)
              (("" (TYPEPRED "G!1")
                (("" (INST?)
                  (("" (ASSERT)
                    (("" (TYPEPRED "e!1")
                      (("" (SKOSIMP*)
                        (("" (INST-CP -2 "x!1")
                          (("" (INST -2 "y!1")
                            (("" (REPLACE -1)
                              (("" (HIDE -1)
                                ((""
                                  (HIDE -3)
                                  ((""
                                    (EXPAND "dbl")
                                    ((""
                                      (EXPAND "size")
                                      ((""
                                        (CASE
                                         "subset?(add[T](x!1,singleton(y!1)),ve
 rt(G!1))")
                                        (("1"
                                          (LEMMA "card_subset[T]")
                                          (("1"
                                            (INST?)
                                            (("1"
                                              (ASSERT)
                                              (("1"
                                                (HIDE -2)
                                                (("1"
                                                  (LEMMA "card_add[T]")
                                                  (("1"
                                                    (INST?)
                                                    (("1"
                                                      (LEMMA
                                                       "card_singleton[T]")
                                                      (("1"
                                                        (INST?)
                                                        (("1"
                                                          (REPLACE -1)
                                                          (("1"
                                                            (HIDE -1)
                                                            (("1"
                                                              (EXPAND
                                                               "singleton")
                                                              (("1"
                                                                (REPLACE
  
                                                                 -1)
                                                                (("1"
                                                                  (HIDE
                                                                   -1)
                                                                  (("1"
                                                                    (ASSERT)
                                                                    NIL))))))))
 )))))))))))))))
                                             ("2"
                                              (REWRITE "finite_add[T]")
                                              NIL)))))
                                         ("2"
                                          (HIDE 3)
                                          (("2"
                                            (GRIND)
                                            NIL))))))))))))))))))))))))))))))))
 )))))))))
   (|del_vert_deg_0| "" (SKOSIMP*)
    (("" (EXPAND "deg")
      (("" (LEMMA "card_empty?[doubleton[T]]")
        (("" (INST?)
          (("" (IFF)
            (("" (ASSERT)
              (("" (HIDE -2)
                (("" (EXPAND "incident_edges")
                  (("" (EXPAND "empty?")
                    (("" (EXPAND "member")
                      (("" (APPLY-EXTENSIONALITY 1 :HIDE? T)
                        (("" (EXPAND "del_vert")
                          (("" (INST?)
                            (("" (IFF 1)
                              (("" (GROUND)
                                NIL)))))))))))))))))))))))))))))
   (|deg_del_vert_TCC1| "" (SUBTYPE-TCC) NIL)
   (|deg_del_vert| "" (SKOSIMP*)
    (("" (EXPAND "deg")
      ((""
        (CASE-REPLACE "incident_edges(v!1, del_vert(G!1, x!1)) = 
               incident_edges(v!1, del_edge(G!1,dbl[T](x!1,v!1)))")
        (("1" (HIDE -1)
          (("1" (LEMMA "deg_del_edge")
            (("1" (INST?)
              (("1" (INST -1 "x!1" "v!1")
                (("1" (PROP)
                  (("1" (EXPAND "deg") (("1" (ASSERT) NIL)))))))
               ("2" (INST?) (("2" (ASSERT) NIL)))))))))
         ("2" (HIDE 3)
          (("2" (APPLY-EXTENSIONALITY 1 :HIDE? T)
            (("1" (EXPAND "incident_edges")
              (("1" (GRIND)
                (("1" (HIDE -3)
                  (("1" (REPLACE -2 * RL) (("1" (GRIND) NIL)))))
                 ("2" (HIDE -1 -4)
                  (("2" (LEMMA "edge_has_2_verts[T]")
                    (("2" (INST?)
                      (("2" (INST?) (("2" (ASSERT) NIL)))))))))))))
             ("2" (INST?) (("2" (ASSERT) NIL)))))))
         ("3" (INST?) (("3" (ASSERT) NIL)))))))))
   (|del_vert_not_incident| "" (SKOSIMP*)
    (("" (EXPAND "deg")
      ((""
        (CASE-REPLACE
         "incident_edges(x!1, G!1) = incident_edges(x!1, del_vert(G!1, v!1))")
        (("" (HIDE 4)
          (("" (APPLY-EXTENSIONALITY 1 :HIDE? T)
            (("" (EXPAND "incident_edges")
              (("" (IFF 1)
                (("" (PROP)
                  (("1" (LEMMA "edge_in_del_vert")
                    (("1" (INST?)
                      (("1" (ASSERT)
                        (("1" (LEMMA "edge_has_2_verts")
                          (("1" (INST?)
                            (("1" (INST?) (("1" (ASSERT) NIL)))))))))))))
                   ("2" (EXPAND "del_vert")
                    (("2" (FLATTEN)
                      (("2" (PROPAX) NIL)))))))))))))))))))))
   (|singleton_deg| "" (SKOSIMP*)
    (("" (EXPAND "singleton?")
      (("" (EXPAND "deg")
        (("" (REWRITE "card_is_0[doubleton[T]]")
          (("" (APPLY-EXTENSIONALITY 1 :HIDE? T)
            (("" (EXPAND "incident_edges")
              (("" (EXPAND "emptyset")
                (("" (FLATTEN)
                  (("" (LEMMA "edge_in_card_gt_1[T]")
                    (("" (INST?)
                      (("" (SPLIT -1)
                        (("1" (ASSERT)
                          (("1" (EXPAND "size") (("1" (ASSERT) NIL)))))
                         ("2" (PROPAX) NIL)))))))))))))))))))))))
   (|deg_1_sing| "" (SKOSIMP*)
    (("" (EXPAND "deg")
      (("" (LEMMA "card_one[Dbl]")
        (("" (INST?)
          (("" (FLATTEN)
            (("" (ASSERT)
              (("" (HIDE -2)
                (("" (SKOSIMP*)
                  (("" (INST?)
                    (("" (ASSERT)
                      ((""
                        (CASE-REPLACE
                         "incident_edges(v!1, G!1)(x!1) = singleton(x!1)(x!1)")
                        (("1" (HIDE -2)
                          (("1" (EXPAND "incident_edges")
                            (("1" (EXPAND "singleton")
                              (("1" (FLATTEN) (("1" (ASSERT) NIL)))))))))
                         ("2" (ASSERT) NIL)))))))))))))))))))))))
   (|isol_deg_0| "" (SKOSIMP*)
    (("" (SPLIT)
      (("1" (FLATTEN)
        (("1" (INSTALL-REWRITES "graph_deg")
          (("1" (ASSERT)
            (("1" (SKOSIMP*)
              (("1" (LEMMA "finite_sets[doubleton[T]].empty_card")
                (("1" (INST -1 "incident_edges(v!1, G!1)")
                  (("1" (BDDSIMP)
                    (("1" (ASSERT)
                      (("1" (SKOSIMP*) (("1" (INST -3 "x!1") NIL NIL))
                        NIL))
                      NIL))
                    NIL))
                  NIL))
                NIL))
              NIL))
            NIL))
          NIL))
        NIL)
       ("2" (INSTALL-REWRITES "graphs")
        (("2" (ASSERT)
          (("2" (FLATTEN)
            (("2" (SKOSIMP*)
              (("2" (TYPEPRED "G!1")
                (("2" (INST -1 "x!1")
                  (("2" (BDDSIMP)
                    (("2" (LEMMA "edge_in_card_gt_1")
                      (("2" (INST -1 "G!1" "x!1")
                        (("2" (BDDSIMP)
                          (("2" (LEMMA "finite_sets[T].card_1_has_1")
                            (("2" (INST -1 "vert(G!1)")
                              (("2" (ASSERT)
                                (("2"
                                  (SKOSIMP*)
                                  (("2"
                                    (TYPEPRED "x!1")
                                    (("2"
                                      (SKOSIMP*)
                                      (("2"
                                        (HIDE -2 -4)
                                        (("2"
                                          (INST -3 "x!3")
                                          (("2"
                                            (INST -4 "x!3")
                                            (("1"
                                              (LEMMA
                                               "finite_sets[doubleton[T]].empty
 _card")
                                              (("1"
                                                (INST
                                                 -1
                                                 "incident_edges(x!3, G!1)")
                                                (("1"
                                                  (BDDSIMP)
                                                  (("1"
                                                    (ASSERT)
                                                    (("1"
                                                      (INST -1 "x!1")
                                                      (("1"
                                                        (HIDE -1)
                                                        (("1"
                                                          (GRIND)
                                                          NIL
                                                          NIL))
                                                        NIL))
                                                      NIL))
                                                    NIL)
                                                   ("2" (GRIND) NIL NIL))
                                                  NIL))
                                                NIL))
                                              NIL)
                                             ("2" (GRIND) NIL NIL))
                                            NIL))
                                          NIL))
                                        NIL))
                                      NIL))
                                    NIL))
                                  NIL))
                                NIL))
                              NIL))
                            NIL))
                          NIL))
                        NIL))
                      NIL))
                    NIL))
                  NIL))
                NIL))
              NIL))
            NIL))
          NIL))
        NIL))
      NIL))
    NIL))
  
  
  $$$abstract_min.pvs
  abstract_min[T: TYPE, size: [T -> nat], P: pred[T]]: THEORY
  %----------------------------------------------------------------------------
 --
  %
  %  The need for a function that returns the smallest object that
  %  satisfies a particular predicate arises in many contexts.  Thus it is
  %  useful to develop an "abstract" min theory that can be instantiated in
  %  multiple ways to provide different min functions.  Such a theory must
  %  be parameterized by
  %
  %    ------------------------------------------------------------------------
 -
  %    | T: TYPE          | the base type over which min is defined            
 |
  %    | size:[T -> nat]  | the size function by which objects are compared    
 |
  %    | P: pred[T]       | the property that the min function must satisfy    
 |
  %    ------------------------------------------------------------------------
 -
  %
  %  Author:
  %
  %      Ricky W. Butler   NASA Langley
  %
  %  Version 2.0           Last modified 10/21/97
  %
  %  Maintained by:
  %
  %     Rick Butler        NASA Langley Research Center   
  %                        R.W.Butler@larc.nasa.gov
  %
  %----------------------------------------------------------------------------
 --
  BEGIN
  
     ASSUMING
  
     T_ne: ASSUMPTION EXISTS (t: T): P(t)
  
     ENDASSUMING
  
     IMPORTING min_nat
  
     n: VAR nat
     S,SS: VAR T
  
     is_one(n): bool = (EXISTS (S: T): P(S) AND size(S) = n)
  
     prep0: LEMMA nonempty?({n: nat | is_one(n)})
  
     min_f: nat = min({n: nat | is_one(n)})
  
     prep1: LEMMA nonempty?({S: T | size(S) = min_f AND P(S)})
  
     minimal?(S): bool = P(S) AND 
                         (FORALL (SS: T): P(SS) IMPLIES size(S) <= size(SS))
  
     min: {S: T | minimal?(S)} 
  
  
     min_def: LEMMA minimal?(min)
  
     min_in : LEMMA P(min) 
  
     min_is_min: LEMMA P(SS) IMPLIES size(min) <= size(SS) 
  
  
  END abstract_min
  
  $$$abstract_min.prf
  (|abstract_min|
   (|prep0| "" (LEMMA "T_ne")
    (("" (EXPAND "nonempty?")
      (("" (EXPAND "empty?")
        (("" (SKOSIMP*)
          (("" (EXPAND "member")
            (("" (EXPAND "is_one")
              (("" (INST -2 "size(t!1)")
                (("" (INST 1 "t!1") (("" (ASSERT) NIL)))))))))))))))))
   (|min_f_TCC1| "" (LEMMA "prep0") (("" (PROPAX) NIL)))
   (|prep1| "" (EXPAND "nonempty?")
    (("" (EXPAND "empty?")
      (("" (EXPAND "member")
        (("" (EXPAND "min_f")
          (("" (TYPEPRED "min({n: nat | is_one(n)})")
            (("1" (EXPAND "is_one")
              (("1" (SKOSIMP*) (("1" (INST -4 "S!1") (("1" (ASSERT) NIL)))))))
             ("2" (REWRITE "prep0") NIL)))))))))))
   (|min_TCC1| "" (LEMMA "prep1")
    (("" (EXPAND "nonempty?")
      (("" (EXPAND "empty?")
        (("" (SKOSIMP*)
          (("" (EXPAND "member")
            (("" (INST?)
              (("" (EXPAND "minimal?")
                (("" (ASSERT)
                  (("" (EXPAND "min_f")
                    (("" (FLATTEN)
                      (("" (ASSERT)
                        (("" (SKOSIMP*)
                          (("" (TYPEPRED "min({n: nat | is_one(n)})")
                            (("1" (INST -2 "size(SS!1)")
                              (("1" (HIDE -1)
                                (("1" (ASSERT)
                                  (("1" (EXPAND "is_one")
                                    (("1" (INST?) (("1" (ASSERT) NIL)))))))))))
                             ("2" (LEMMA "prep0")
                              (("2" (PROPAX) NIL)))))))))))))))))))))))))))))
   (|min_def| "" (TYPEPRED "min") (("" (PROPAX) NIL NIL)) NIL)
   (|min_in| "" (TYPEPRED "min")
    (("" (EXPAND "minimal?") (("" (FLATTEN) (("" (PROPAX) NIL)))))))
   (|min_is_min| "" (SKOSIMP*)
    (("" (TYPEPRED "min")
      (("" (EXPAND "minimal?")
        (("" (FLATTEN) (("" (INST?) (("" (ASSERT) NIL NIL)) NIL)) NIL)) NIL))
      NIL))
    NIL))
  
  
  $$$sep_sets.pvs
  sep_sets[T: TYPE]: THEORY
  
  
  BEGIN
  
     IMPORTING graphs[T], walks[T]
  
     G: VAR graph[T]
     v,s,t: VAR T
     e: VAR doubleton[T]
     V: VAR finite_set[T]
  
     del_verts(G,V): graph[T] =
             (# vert := difference[T](vert(G),V),                    
                edges := {e | edges(G)(e) AND 
                             (FORALL v: V(v) IMPLIES NOT e(v))} #)
  
     separates(G,V,s,t): bool = NOT V(s) AND NOT V(t) AND 
                     NOT (EXISTS (w: prewalk): walk_from?(del_verts(G,V),w,s,t)
 )
  
     seps(G,s,t): TYPE = {V: finite_set[T] | IF s = t OR edge?(G)(s,t) THEN 
                                                V = vert(G) 
                                             ELSE separates(G,V,s,t)
                                             ENDIF}
  
     IMPORTING abstract_min
  
     sep_set_exists: LEMMA (EXISTS (t: seps(G, s, t)): TRUE)
            
     min_sep_set(G,s,t): finite_set[T] = min[seps(G,s,t),
                                    (LAMBDA (v: seps(G,s,t)): card(v)),
                                    (LAMBDA (v: seps(G,s,t)): true)]
  
     separable?(G,s,t): bool = (s /= t AND NOT edge?(G)(s,t)) 
  
  
     min_sep_set_edge: LEMMA NOT separable?(G,s,t) IMPLIES 
                                    min_sep_set(G,s,t) = vert(G)
  
     min_sep_set_card: LEMMA FORALL (s,t: (vert(G))): separates(G,V,s,t)
                                    IMPLIES card(min_sep_set(G,s,t)) <= card(V)
   
  
     min_sep_set_seps: LEMMA separable?(G,s,t) IMPLIES 
                                 separates(G,min_sep_set(G,s,t),s,t)
  
     min_sep_set_vert: LEMMA separable?(G,s,t) AND min_sep_set(G,s,t)(v) 
                                      IMPLIES vert(G)(v)
  
     ends_not_in_min_sep_set: LEMMA separable?(G,s,t)  AND min_sep_set(G, s, t)
 (v) 
                                    IMPLIES v /= s AND v /= t
  
  
     w: VAR prewalk
     walk?_del_verts_not : LEMMA walk?(G, w) AND 
                                    empty?(intersection(verts_of(w),V))
                                        IMPLIES walk?(del_verts(G, V), w)
  
     sep_num(G,s,t): nat = card(min_sep_set(G,s,t))
  
     IMPORTING graph_deg[T], finite_sets@finite_sets_card_eq
  
  
     adj_verts(G,s): finite_set[T] = {v: T | (EXISTS (e: Dbl[T]):
                                           incident_edges[T](s, G)(e)
                                             AND e(v) AND NOT v = s)}
  
     adj_verts_lem: LEMMA card(adj_verts(G,s)) = deg(s,G)
  
     sep_num_min: LEMMA FORALL (s,t: (vert(G))):
                        separable?(G,s,t) IMPLIES
                         sep_num(G,s,t) <= min(deg(s,G),deg(t,G))
  
  END sep_sets
  
  
  
  
  
  
  
  $$$sep_sets.prf
  (sep_sets
   (del_verts_TCC1 0
    (del_verts_TCC1-1 nil 3251040627 3251045857
     ("" (skosimp*)
      (("" (expand "difference")
        (("" (expand "member")
          (("" (inst?)
            (("" (assert)
              (("" (typepred "G!1")
                (("" (inst?)
                  (("" (assert) (("" (inst?) (("" (assert) nil nil)) nil)) nil)
 )
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((difference const-decl "set" sets nil)
      (T formal-type-decl nil sep_sets nil) (graph type-eq-decl nil graphs nil)
      (pregraph type-eq-decl nil graphs nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (member const-decl "bool" sets nil))
     152101 8460 t nil))
   (sep_set_exists 0
    (sep_set_exists-1 nil 3251040627 3251040770
     ("" (skosimp*)
      (("" (case "s!1 = t!1 OR edge?(G!1)(s!1,t!1)")
        (("1" (inst 1 "vert(G!1)") (("1" (ground) nil nil)) nil)
         ("2" (inst 2 "{t: T | vert(G!1)(t)  AND t /= s!1 AND t /= t!1}")
          (("2" (prop)
            (("1" (lemma "finite_subset[T]")
              (("1" (inst?)
                (("1" (inst?)
                  (("1" (assert)
                    (("1" (hide 2 3 4) (("1" (grind) nil nil)) nil)) nil))
                  nil))
                nil))
              nil)
             ("2" (hide 4 5)
              (("2" (expand "separates")
                (("2" (skosimp*)
                  (("2" (expand "walk_from?")
                    (("2" (flatten)
                      (("2" (case "l(w!1) = 1")
                        (("1" (replace -1)
                          (("1" (hide -1) (("1" (assert) nil nil)) nil)) nil)
                         ("2" (case-replace "l(w!1) = 2")
                          (("1" (assert)
                            (("1" (expand "walk?")
                              (("1" (flatten)
                                (("1" (inst -5 "0")
                                  (("1" (assert)
                                    (("1" (expand "del_verts")
                                      (("1" (expand "edge?")
                                        (("1"
                                          (expand "fseq")
                                          (("1" (assert) nil nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil))
                                nil))
                              nil))
                            nil)
                           ("2"
                            (case "FORALL (i: below(l(w!1))): seq(w!1)(i) = s!1
  OR seq(w!1)(i) = t!1")
                            (("1" (expand "walk?")
                              (("1" (flatten)
                                (("1" (inst -5 "0")
                                  (("1" (assert)
                                    (("1" (expand "fseq")
                                      (("1" (expand "edge?")
                                        (("1"
                                          (expand "del_verts")
                                          (("1"
                                            (flatten)
                                            (("1"
                                              (inst -1 "1")
                                              (("1" (assert) nil nil))
                                              nil))
                                            nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil))
                                nil))
                              nil)
                             ("2" (lemma "walk_verts_in")
                              (("2" (inst?)
                                (("1" (split -1)
                                  (("1" (hide -4)
                                    (("1" (expand "verts_in?")
                                      (("1" (expand "del_verts")
                                        (("1"
                                          (expand "difference")
                                          (("1"
                                            (expand "member")
                                            (("1"
                                              (skosimp*)
                                              (("1"
                                                (inst?)
                                                (("1"
                                                  (flatten)
                                                  (("1" (assert) nil nil))
                                                  nil))
                                                nil))
                                              nil))
                                            nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil)
                                   ("2" (propax) nil nil))
                                  nil)
                                 ("2" (hide -1 -2 -3 2 3 4 5 6)
                                  (("2" (lemma "finite_subset[T]")
                                    (("2" (inst?)
                                      (("2" (inst -1 "vert(G!1)")
                                        (("2"
                                          (assert)
                                          (("2"
                                            (hide 2)
                                            (("2" (grind) nil nil))
                                            nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((edge? const-decl "bool" graphs nil) (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (pregraph type-eq-decl nil graphs nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (T formal-type-decl nil sep_sets nil)
      (OR const-decl "[bool, bool -> bool]" booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (s!1 skolem-const-decl "T" sep_sets nil)
      (t!1 skolem-const-decl "T" sep_sets nil)
      (G!1 skolem-const-decl "graph[T]" sep_sets nil)
      (TRUE const-decl "bool" booleans nil) (seps type-eq-decl nil sep_sets nil
 )
      (separates const-decl "bool" sep_sets nil)
      (IF const-decl "[boolean, T, T -> T]" if_def nil)
      (is_finite const-decl "bool" finite_sets nil)
      (member const-decl "bool" sets nil) (subset? const-decl "bool" sets nil)
      (finite_subset formula-decl nil finite_sets nil)
      (walk_from? const-decl "bool" walks nil)
      (number nonempty-type-decl nil numbers nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (below type-eq-decl nil nat_types nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (> const-decl "bool" reals nil) (prewalk type-eq-decl nil walks nil)
      (< const-decl "bool" reals nil)
      (below type-eq-decl nil naturalnumbers nil)
      (difference const-decl "set" sets nil)
      (verts_in? const-decl "bool" walks nil)
      (walk_verts_in formula-decl nil walks nil)
      (fseq const-decl "[below[l(fs)] -> T]" seq_def nil)
      (del_verts const-decl "graph[T]" sep_sets nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (int nonempty-type-eq-decl nil integers nil)
      (>= const-decl "bool" reals nil) (walk? const-decl "bool" walks nil))
     847 670 nil nil))
   (min_sep_set_TCC1 0
    (min_sep_set_TCC1-1 nil 3251040627 3251040770
     ("" (skosimp*) (("" (lemma "sep_set_exists") (("" (inst?) nil nil)) nil))
      nil)
     proved
     ((sep_set_exists formula-decl nil sep_sets nil)
      (T formal-type-decl nil sep_sets nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (pregraph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (graph type-eq-decl nil graphs nil))
     36 40 nil nil))
   (min_sep_set_edge 0
    (min_sep_set_edge-1 nil 3251040627 3251040770
     ("" (skosimp*)
      (("" (expand "separable?")
        (("" (expand "min_sep_set")
          ((""
            (lemma "min_in[seps(G!1, s!1, t!1),
                  (LAMBDA (v: seps(G!1, s!1, t!1)): card(v)),
                  (LAMBDA (v: seps(G!1, s!1, t!1)): TRUE)]")
            (("1"
              (typepred
               "min[seps(G!1, s!1, t!1), (LAMBDA (v: seps(G!1, s!1, t!1)): card
 (v)),
             (LAMBDA (v: seps(G!1, s!1, t!1)): TRUE)]")
              (("1" (expand "minimal?")
                (("1" (assert) (("1" (flatten) (("1" (assert) nil nil)) nil))
                  nil))
                nil))
              nil)
             ("2" (lemma "sep_set_exists") (("2" (inst?) nil nil)) nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((separable? const-decl "bool" sep_sets nil)
      (TRUE const-decl "bool" booleans nil)
      (card const-decl "{n: nat | n = Card(S)}" finite_sets nil)
      (Card const-decl "nat" finite_sets nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (>= const-decl "bool" reals nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number nonempty-type-decl nil numbers nil)
      (seps type-eq-decl nil sep_sets nil)
      (separates const-decl "bool" sep_sets nil)
      (edge? const-decl "bool" graphs nil) (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (pregraph type-eq-decl nil graphs nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (OR const-decl "[bool, bool -> bool]" booleans nil)
      (IF const-decl "[boolean, T, T -> T]" if_def nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (is_finite const-decl "bool" finite_sets nil)
      (set type-eq-decl nil sets nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (T formal-type-decl nil sep_sets nil)
      (min_in formula-decl nil abstract_min nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (minimal? const-decl "bool" abstract_min nil)
      (min const-decl "{S: T | minimal?(S)}" abstract_min nil)
      (sep_set_exists formula-decl nil sep_sets nil)
      (min_sep_set const-decl "finite_set[T]" sep_sets nil))
     212 160 nil nil))
   (min_sep_set_card 0
    (min_sep_set_card-1 nil 3251040627 3251040771
     ("" (skosimp*)
      (("" (expand "min_sep_set")
        ((""
          (lemma "min_is_min[seps(G!1, s!1, t!1),
                  (LAMBDA (v: seps(G!1, s!1, t!1)): card(v)),
                  (LAMBDA (v: seps(G!1, s!1, t!1)): TRUE)]")
          (("1" (inst -1 "V!1")
            (("1" (beta) (("1" (propax) nil nil)) nil)
             ("2" (hide 2)
              (("2" (ground)
                (("1" (expand "separates")
                  (("1" (flatten)
                    (("1" (inst 4 "gen_seq1(G!1,s!1)")
                      (("1" (expand "walk_from?")
                        (("1" (expand "gen_seq1")
                          (("1" (expand "walk?")
                            (("1" (expand "verts_in?")
                              (("1" (skosimp*)
                                (("1" (expand "del_verts")
                                  (("1" (expand "difference")
                                    (("1" (expand "member")
                                      (("1" (propax) nil nil)) nil))
                                    nil))
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil)
                 ("2" (expand "separates")
                  (("2" (flatten)
                    (("2" (inst 4 "gen_seq2(G!1,s!1,t!1)")
                      (("2" (expand "walk_from?")
                        (("2" (expand "gen_seq2")
                          (("2" (expand "del_verts")
                            (("2" (expand "walk?")
                              (("2" (split 4)
                                (("1" (expand "verts_in?")
                                  (("1" (skosimp*)
                                    (("1" (expand "difference")
                                      (("1" (expand "member")
                                        (("1" (ground) nil nil)) nil))
                                      nil))
                                    nil))
                                  nil)
                                 ("2" (skosimp*)
                                  (("2" (expand "fseq")
                                    (("2" (expand "edge?")
                                      (("2" (flatten)
                                        (("2"
                                          (assert)
                                          (("2"
                                            (skosimp*)
                                            (("2"
                                              (expand "dbl")
                                              (("2" (ground) nil nil))
                                              nil))
                                            nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil)
           ("2" (lemma "sep_set_exists") (("2" (inst?) nil nil)) nil))
          nil))
        nil))
      nil)
     proved
     ((min_sep_set const-decl "finite_set[T]" sep_sets nil)
      (sep_set_exists formula-decl nil sep_sets nil)
      (G!1 skolem-const-decl "graph[T]" sep_sets nil)
      (s!1 skolem-const-decl "(vert(G!1))" sep_sets nil)
      (t!1 skolem-const-decl "(vert(G!1))" sep_sets nil)
      (V!1 skolem-const-decl "finite_set[T]" sep_sets nil)
      (walk_from? const-decl "bool" walks nil)
      (walk? const-decl "bool" walks nil) (difference const-decl "set" sets nil
 )
      (member const-decl "bool" sets nil)
      (del_verts const-decl "graph[T]" sep_sets nil)
      (below type-eq-decl nil nat_types nil)
      (finite_seq type-eq-decl nil seq_def nil) (> const-decl "bool" reals nil)
      (prewalk type-eq-decl nil walks nil)
      (verts_in? const-decl "bool" walks nil) (Seq type-eq-decl nil walks nil)
      (gen_seq1 const-decl "Seq(G)" walks nil)
      (fseq const-decl "[below[l(fs)] -> T]" seq_def nil)
      (gen_seq2 const-decl "Seq(G)" walks nil)
      (min_is_min formula-decl nil abstract_min nil)
      (T formal-type-decl nil sep_sets nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (is_finite const-decl "bool" finite_sets nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (IF const-decl "[boolean, T, T -> T]" if_def nil)
      (OR const-decl "[bool, bool -> bool]" booleans nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (pregraph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (graph type-eq-decl nil graphs nil) (edge? const-decl "bool" graphs nil)
      (separates const-decl "bool" sep_sets nil)
      (seps type-eq-decl nil sep_sets nil)
      (number nonempty-type-decl nil numbers nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (int nonempty-type-eq-decl nil integers nil)
      (>= const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (Card const-decl "nat" finite_sets nil)
      (card const-decl "{n: nat | n = Card(S)}" finite_sets nil)
      (TRUE const-decl "bool" booleans nil))
     631 500 nil nil))
   (min_sep_set_seps 0
    (min_sep_set_seps-1 nil 3251040627 3251040771
     ("" (skosimp*)
      (("" (expand "separable?")
        (("" (flatten)
          ((""
            (lemma "min_in[seps(G!1, s!1, t!1),
                  (LAMBDA (v: seps(G!1, s!1, t!1)): card(v)),
                  (LAMBDA (v: seps(G!1, s!1, t!1)): TRUE)]")
            (("1"
              (typepred
               "min[seps(G!1, s!1, t!1), (LAMBDA (v: seps(G!1, s!1, t!1)): card
 (v)),
             (LAMBDA (v: seps(G!1, s!1, t!1)): TRUE)]")
              (("1" (assert)
                (("1" (expand "min_sep_set") (("1" (propax) nil nil)) nil))
                nil))
              nil)
             ("2" (lemma "sep_set_exists") (("2" (inst?) nil nil)) nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((separable? const-decl "bool" sep_sets nil)
      (TRUE const-decl "bool" booleans nil)
      (card const-decl "{n: nat | n = Card(S)}" finite_sets nil)
      (Card const-decl "nat" finite_sets nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (>= const-decl "bool" reals nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number nonempty-type-decl nil numbers nil)
      (seps type-eq-decl nil sep_sets nil)
      (separates const-decl "bool" sep_sets nil)
      (edge? const-decl "bool" graphs nil) (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (pregraph type-eq-decl nil graphs nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (OR const-decl "[bool, bool -> bool]" booleans nil)
      (IF const-decl "[boolean, T, T -> T]" if_def nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (is_finite const-decl "bool" finite_sets nil)
      (set type-eq-decl nil sets nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (T formal-type-decl nil sep_sets nil)
      (min_in formula-decl nil abstract_min nil)
      (min_sep_set const-decl "finite_set[T]" sep_sets nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (minimal? const-decl "bool" abstract_min nil)
      (min const-decl "{S: T | minimal?(S)}" abstract_min nil)
      (sep_set_exists formula-decl nil sep_sets nil))
     163 140 nil nil))
   (min_sep_set_vert 0
    (min_sep_set_vert-1 nil 3251040627 3251040772
     ("" (skosimp*)
      ((""
        (typepred
         "min[seps(G!1, s!1, t!1), (LAMBDA (v: seps(G!1, s!1, t!1)): card(v)),
               (LAMBDA (v: seps(G!1, s!1, t!1)): TRUE)]")
        (("1" (hide -1 -2 -3)
          (("1" (expand "minimal?")
            (("1" (inst -1 "remove(v!1,(min_sep_set(G!1, s!1, t!1)))")
              (("1" (rewrite "card_remove[T]")
                (("1" (assert)
                  (("1" (expand "min_sep_set" -1) (("1" (assert) nil nil)) nil)
 )
                  nil))
                nil)
               ("2" (split 1)
                (("1" (flatten)
                  (("1" (lemma "min_sep_set_edge")
                    (("1" (inst?)
                      (("1" (split -1)
                        (("1" (replace -1) (("1" (propax) nil nil)) nil)
                         ("2" (hide -1)
                          (("2" (expand "separable?")
                            (("2" (flatten) (("2" (assert) nil nil)) nil)) nil)
 )
                          nil))
                        nil))
                      nil))
                    nil))
                  nil)
                 ("2" (flatten)
                  (("2" (ground)
                    (("2" (lemma "min_sep_set_seps")
                      (("2" (inst?)
                        (("2" (assert)
                          (("2" (expand "separates")
                            (("2" (flatten)
                              (("2" (expand "remove")
                                (("2" (expand "member")
                                  (("2" (assert)
                                    (("2" (skosimp*)
                                      (("2" (inst 3 "w!1")
                                        (("2"
                                          (expand "walk_from?")
                                          (("2"
                                            (flatten)
                                            (("2"
                                              (expand "walk?")
                                              (("2"
                                                (flatten)
                                                (("2"
                                                  (assert)
                                                  (("2"
                                                    (split 3)
                                                    (("1"
                                                      (hide -4)
                                                      (("1"
                                                        (expand "verts_in?")
                                                        (("1"
                                                          (skosimp*)
                                                          (("1"
                                                            (expand "del_verts"
 )
                                                            (("1"
                                                              (expand
                                                               "difference")
                                                              (("1"
                                                                (expand
                                                                 "member")
                                                                (("1"
                                                                  (inst
                                                                   -3
                                                                   "i!1")
                                                                  (("1"
                                                                    (flatten)
                                                                    (("1"
                                                                      (assert)
                                                                      nil
                                                                      nil))
                                                                    nil))
                                                                  nil))
                                                                nil))
                                                              nil))
                                                            nil))
                                                          nil))
                                                        nil))
                                                      nil)
                                                     ("2"
                                                      (hide -3)
                                                      (("2"
                                                        (skosimp*)
                                                        (("2"
                                                          (inst?)
                                                          (("2"
                                                            (assert)
                                                            (("2"
                                                              (expand "edge?")
                                                              (("2"
                                                                (flatten)
                                                                (("2"
                                                                  (expand
                                                                   "fseq")
                                                                  (("2"
                                                                    (expand
                                                                     "del_verts
 ")
                                                                    (("2"
                                                                      (flatten)
                                                                      (("2"
                                                                        (assert
 )
                                                                        (("2"
                                                                          (skos
 imp*)
                                                                          (("2"
                                                                            (ex
 pand
                                                                             "d
 bl")
                                                                            (("
 2"
                                                                              (
 inst
                                                                               
 -7
                                                                               
 "v!2")
                                                                              (
 ("2"
                                                                               
  (assert)
                                                                               
  (("2"
                                                                               
    (split
                                                                               
     -7)
                                                                               
    (("1"
                                                                               
      (propax)
                                                                               
      nil
                                                                               
      nil)
                                                                               
     ("2"
                                                                               
      (case-replace
                                                                               
       "v!1 = v!2")
                                                                               
      (("1"
                                                                               
        (hide
                                                                               
         -1
                                                                               
         -3
                                                                               
         -5
                                                                               
         -6
                                                                               
         -7
                                                                               
         -8
                                                                               
         -9
                                                                               
         1
                                                                               
         2
                                                                               
         3
                                                                               
         4
                                                                               
         5)
                                                                               
        (("1"
                                                                               
          (reveal
                                                                               
           -9)
                                                                               
          (("1"
                                                                               
            (expand
                                                                               
             "verts_in?")
                                                                               
            (("1"
                                                                               
              (expand
                                                                               
               "del_verts")
                                                                               
              (("1"
                                                                               
                (expand
                                                                               
                 "difference")
                                                                               
                (("1"
                                                                               
                  (expand
                                                                               
                   "member")
                                                                               
                  (("1"
                                                                               
                    (split
                                                                               
                     -3)
                                                                               
                    (("1"
                                                                               
                      (inst?)
                                                                               
                      (("1"
                                                                               
                        (flatten)
                                                                               
                        (("1"
                                                                               
                          (assert)
                                                                               
                          nil
                                                                               
                          nil))
                                                                               
                        nil))
                                                                               
                      nil)
                                                                               
                     ("2"
                                                                               
                      (inst?)
                                                                               
                      (("2"
                                                                               
                        (flatten)
                                                                               
                        (("2"
                                                                               
                          (assert)
                                                                               
                          nil
                                                                               
                          nil))
                                                                               
                        nil))
                                                                               
                      nil))
                                                                               
                    nil))
                                                                               
                  nil))
                                                                               
                nil))
                                                                               
              nil))
                                                                               
            nil))
                                                                               
          nil))
                                                                               
        nil)
                                                                               
       ("2"
                                                                               
        (assert)
                                                                               
        nil
                                                                               
        nil))
                                                                               
      nil))
                                                                               
    nil))
                                                                               
  nil))
                                                                              n
 il))
                                                                            nil
 ))
                                                                          nil))
                                                                        nil))
                                                                      nil))
                                                                    nil))
                                                                  nil))
                                                                nil))
                                                              nil))
                                                            nil))
                                                          nil))
                                                        nil))
                                                      nil))
                                                    nil))
                                                  nil))
                                                nil))
                                              nil))
                                            nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil)
         ("2" (lemma "sep_set_exists") (("2" (inst?) nil nil)) nil))
        nil))
      nil)
     proved
     ((min const-decl "{S: T | minimal?(S)}" abstract_min nil)
      (minimal? const-decl "bool" abstract_min nil)
      (TRUE const-decl "bool" booleans nil)
      (card const-decl "{n: nat | n = Card(S)}" finite_sets nil)
      (Card const-decl "nat" finite_sets nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (>= const-decl "bool" reals nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number nonempty-type-decl nil numbers nil)
      (seps type-eq-decl nil sep_sets nil)
      (separates const-decl "bool" sep_sets nil)
      (edge? const-decl "bool" graphs nil) (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (pregraph type-eq-decl nil graphs nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (OR const-decl "[bool, bool -> bool]" booleans nil)
      (IF const-decl "[boolean, T, T -> T]" if_def nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (is_finite const-decl "bool" finite_sets nil)
      (set type-eq-decl nil sets nil) (T formal-type-decl nil sep_sets nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (min_sep_set_edge formula-decl nil sep_sets nil)
      (separable? const-decl "bool" sep_sets nil)
      (prewalk type-eq-decl nil walks nil) (> const-decl "bool" reals nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (below type-eq-decl nil nat_types nil)
      (verts_in? const-decl "bool" walks nil)
      (del_verts const-decl "graph[T]" sep_sets nil)
      (< const-decl "bool" reals nil)
      (below type-eq-decl nil naturalnumbers nil)
      (difference const-decl "set" sets nil)
      (+ const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (numfield nonempty-type-eq-decl nil number_fields nil)
      (fseq const-decl "[below[l(fs)] -> T]" seq_def nil)
      (walk? const-decl "bool" walks nil)
      (walk_from? const-decl "bool" walks nil)
      (member const-decl "bool" sets nil)
      (min_sep_set_seps formula-decl nil sep_sets nil)
      (card_remove formula-decl nil finite_sets nil)
      (min_sep_set const-decl "finite_set[T]" sep_sets nil)
      (v!1 skolem-const-decl "T" sep_sets nil)
      (remove const-decl "set" sets nil)
      (G!1 skolem-const-decl "graph[T]" sep_sets nil)
      (t!1 skolem-const-decl "T" sep_sets nil)
      (s!1 skolem-const-decl "T" sep_sets nil)
      (sep_set_exists formula-decl nil sep_sets nil))
     970 780 nil nil))
   (ends_not_in_min_sep_set 0
    (ends_not_in_min_sep_set-1 nil 3251040627 3251040772
     ("" (skosimp*)
      (("" (lemma "min_sep_set_seps")
        (("" (inst?)
          (("" (assert)
            (("" (expand "separates")
              (("" (flatten) (("" (hide 3) (("" (ground) nil nil)) nil)) nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((min_sep_set_seps formula-decl nil sep_sets nil)
      (separates const-decl "bool" sep_sets nil)
      (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (pregraph type-eq-decl nil graphs nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (T formal-type-decl nil sep_sets nil))
     88 50 nil nil))
   (walk?_del_verts_not 0
    (walk?_del_verts_not-1 nil 3251040627 3251040773
     ("" (skosimp*)
      (("" (expand "walk?")
        (("" (split +)
          (("1" (flatten)
            (("1" (hide -2)
              (("1" (expand "verts_in?")
                (("1" (skosimp*)
                  (("1" (expand "del_verts")
                    (("1" (expand "intersection")
                      (("1" (expand "empty?")
                        (("1" (expand "difference")
                          (("1" (expand "member")
                            (("1" (inst?)
                              (("1" (assert)
                                (("1" (inst?)
                                  (("1" (assert)
                                    (("1" (expand "verts_of")
                                      (("1" (inst?)
                                        (("1"
                                          (expand "fseq")
                                          (("1" (propax) nil nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil)
           ("2" (skosimp*)
            (("2" (expand "edge?")
              (("2" (inst?)
                (("2" (assert)
                  (("2" (flatten)
                    (("2" (assert)
                      (("2" (expand "del_verts")
                        (("2" (expand "empty?")
                          (("2" (expand "intersection")
                            (("2" (expand "member")
                              (("2" (skosimp*)
                                (("2" (inst?)
                                  (("2" (expand "verts_of")
                                    (("2" (assert)
                                      (("2" (expand "dbl")
                                        (("2"
                                          (split -3)
                                          (("1"
                                            (inst?)
                                            (("1" (assert) nil nil))
                                            nil)
                                           ("2"
                                            (inst?)
                                            (("2" (assert) nil nil))
                                            nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((walk? const-decl "bool" walks nil)
      (dbl const-decl "set[T]" doubletons nil)
      (numfield nonempty-type-eq-decl nil number_fields nil)
      (+ const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (edge? const-decl "bool" graphs nil)
      (verts_in? const-decl "bool" walks nil)
      (del_verts const-decl "graph[T]" sep_sets nil)
      (empty? const-decl "bool" sets nil) (member const-decl "bool" sets nil)
      (fseq const-decl "[below[l(fs)] -> T]" seq_def nil)
      (verts_of const-decl "finite_set[T]" walks nil)
      (below type-eq-decl nil naturalnumbers nil)
      (prewalk type-eq-decl nil walks nil) (> const-decl "bool" reals nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (T formal-type-decl nil sep_sets nil)
      (below type-eq-decl nil nat_types nil) (< const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (>= const-decl "bool" reals nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (boolean nonempty-type-decl nil booleans nil)
      (number nonempty-type-decl nil numbers nil)
      (difference const-decl "set" sets nil)
      (intersection const-decl "set" sets nil))
     478 360 nil nil))
   (adj_verts_TCC1 0
    (adj_verts_TCC1-1 nil 3251040627 3251040773
     ("" (skosimp*)
      (("" (lemma "finite_subset[T]")
        (("" (inst?)
          (("" (inst -1 "vert(G!1)")
            (("" (assert)
              (("" (hide 2)
                (("" (grind)
                  (("1" (typepred "G!1")
                    (("1" (inst?)
                      (("1" (assert) (("1" (inst?) nil nil)) nil)
                       ("2" (inst 1 "x!2" "y!1") nil nil))
                      nil))
                    nil)
                   ("2" (typepred "G!1")
                    (("2" (inst?)
                      (("1" (assert) (("1" (inst?) nil nil)) nil)
                       ("2" (inst 1 "x!2" "y!1") nil nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((T formal-type-decl nil sep_sets nil)
      (finite_subset formula-decl nil finite_sets nil)
      (y!1 skolem-const-decl "T" sep_sets nil)
      (x!2 skolem-const-decl "T" sep_sets nil)
      (member const-decl "bool" sets nil) (subset? const-decl "bool" sets nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (incident_edges const-decl "finite_set[doubleton[T]]" graph_deg nil)
      (is_finite const-decl "bool" finite_sets nil)
      (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (pregraph type-eq-decl nil graphs nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (doubleton type-eq-decl nil doubletons nil)
      (Dbl type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil))
     408 340 nil nil))
   (adj_verts_lem 0
    (adj_verts_lem-1 nil 3251040627 3251040774
     ("" (skosimp*)
      (("" (lemma "card_eq_bij[T,Dbl]")
        (("" (expand "deg")
          (("" (inst?)
            (("" (assert)
              (("" (hide 2)
                ((""
                  (inst 1
                   "(LAMBDA (vv: (adj_verts(G!1, s!1))): dbl[T](s!1,vv))")
                  (("1" (expand "bijective?")
                    (("1" (prop)
                      (("1" (expand "injective?")
                        (("1" (skosimp*)
                          (("1"
                            (case "dbl[T](s!1, x1!1)(x1!1) = dbl[T](s!1, x2!1)(
 x1!1)")
                            (("1"
                              (case "dbl[T](s!1, x1!1)(x2!1) = dbl[T](s!1, x2!1
 )(x2!1)")
                              (("1" (hide -3)
                                (("1" (expand "dbl") (("1" (ground) nil nil))
                                  nil))
                                nil)
                               ("2" (assert) nil nil))
                              nil)
                             ("2" (assert) nil nil))
                            nil))
                          nil))
                        nil)
                       ("2" (expand "surjective?")
                        (("2" (skosimp*)
                          (("2" (typepred "y!1")
                            (("2" (skosimp*)
                              (("2" (replace -1)
                                (("2" (case "s!1 = x!1 OR s!1 = y!2")
                                  (("1" (split -1)
                                    (("1" (replace -1)
                                      (("1" (inst 2 "y!2")
                                        (("1"
                                          (expand "adj_verts")
                                          (("1"
                                            (inst + "dbl[T](x!1, y!2)")
                                            (("1"
                                              (assert)
                                              (("1"
                                                (expand "dbl")
                                                (("1" (propax) nil nil))
                                                nil))
                                              nil)
                                             ("2"
                                              (inst?)
                                              (("2"
                                                (expand "dbl")
                                                (("2" (assert) nil nil))
                                                nil))
                                              nil))
                                            nil))
                                          nil))
                                        nil))
                                      nil)
                                     ("2" (inst 2 "x!1")
                                      (("1" (apply-extensionality 2 :hide? t)
                                        (("1"
                                          (expand "dbl")
                                          (("1"
                                            (iff 1)
                                            (("1" (ground) nil nil))
                                            nil))
                                          nil))
                                        nil)
                                       ("2" (expand "adj_verts")
                                        (("2"
                                          (inst?)
                                          (("1"
                                            (assert)
                                            (("1"
                                              (expand "dbl")
                                              (("1" (propax) nil nil))
                                              nil))
                                            nil)
                                           ("2"
                                            (inst?)
                                            (("2" (assert) nil nil))
                                            nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil)
                                   ("2" (hide 3)
                                    (("2" (expand "incident_edges")
                                      (("2" (flatten)
                                        (("2"
                                          (hide -1)
                                          (("2"
                                            (expand "dbl")
                                            (("2" (assert) nil nil))
                                            nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil)
                   ("2" (skosimp*)
                    (("2" (prop)
                      (("1" (inst?)
                        (("1" (typepred "vv!1")
                          (("1" (expand "adj_verts")
                            (("1" (skosimp*) (("1" (assert) nil nil)) nil))
                            nil))
                          nil))
                        nil)
                       ("2" (typepred "vv!1")
                        (("2" (expand "adj_verts")
                          (("2" (skosimp*)
                            (("2" (expand "incident_edges")
                              (("2" (flatten)
                                (("2" (lemma "edge_has_2_verts")
                                  (("2" (inst?)
                                    (("2" (inst?) (("2" (assert) nil nil)) nil)
 )
                                    nil))
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((Dbl type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (T formal-type-decl nil sep_sets nil)
      (card_eq_bij formula-decl nil finite_sets_card_eq "finite_sets/")
      (is_finite const-decl "bool" finite_sets nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (doubleton type-eq-decl nil doubletons nil)
      (pregraph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (graph type-eq-decl nil graphs nil)
      (adj_verts const-decl "finite_set[T]" sep_sets nil)
      (incident_edges const-decl "finite_set[doubleton[T]]" graph_deg nil)
      (edge_has_2_verts formula-decl nil graphs nil)
      (bijective? const-decl "bool" functions nil)
      (surjective? const-decl "bool" functions nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (y!2 skolem-const-decl "T" sep_sets nil)
      (x!1 skolem-const-decl "T" sep_sets nil)
      (OR const-decl "[bool, bool -> bool]" booleans nil)
      (injective? const-decl "bool" functions nil)
      (s!1 skolem-const-decl "T" sep_sets nil)
      (G!1 skolem-const-decl "graph[T]" sep_sets nil)
      (deg const-decl "nat" graph_deg nil))
     621 490 nil nil))
   (sep_num_min 0
    (sep_num_min-1 nil 3251040627 3251040779
     ("" (skosimp*)
      (("" (expand "separable?")
        (("" (flatten)
          (("" (lemma "min_sep_set_card")
            (("" (inst -1 "G!1" "_" "s!1" "t!1")
              (("" (copy -1)
                (("" (inst -1 "adj_verts(G!1,s!1)")
                  (("" (inst -2 "adj_verts(G!1,t!1)")
                    (("" (split -1)
                      (("1" (split -2)
                        (("1" (expand "sep_num")
                          (("1" (lemma "adj_verts_lem")
                            (("1" (inst?)
                              (("1" (replace -1)
                                (("1" (hide -1)
                                  (("1" (lemma "adj_verts_lem")
                                    (("1" (inst?)
                                      (("1" (replace -1)
                                        (("1"
                                          (hide -1)
                                          (("1"
                                            (expand "min")
                                            (("1"
                                              (lift-if)
                                              (("1" (ground) nil nil))
                                              nil))
                                            nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil)
                         ("2" (hide -1 4)
                          (("2" (expand "separates")
                            (("2" (expand "adj_verts")
                              (("2" (prop)
                                (("1" (skosimp*)
                                  (("1" (expand "incident_edges")
                                    (("1" (flatten)
                                      (("1" (expand "edge?")
                                        (("1"
                                          (lemma "edge_has_2_verts")
                                          (("1"
                                            (inst?)
                                            (("1"
                                              (inst?)
                                              (("1" (assert) nil nil))
                                              nil))
                                            nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil)
                                 ("2" (skosimp*)
                                  (("2" (expand "walk_from?")
                                    (("2" (flatten)
                                      (("2" (expand "walk?")
                                        (("2"
                                          (expand "del_verts")
                                          (("2"
                                            (expand "edge?")
                                            (("2"
                                              (flatten)
                                              (("2"
                                                (expand "verts_in?")
                                                (("2"
                                                  (expand "fseq")
                                                  (("2"
                                                    (assert)
                                                    (("2"
                                                      (inst -4 "l(w!1)-2")
                                                      (("2"
                                                        (assert)
                                                        (("2"
                                                          (flatten)
                                                          (("2"
                                                            (assert)
                                                            (("2"
                                                              (inst
                                                               -5
                                                               "seq(w!1)(l(w!1)
 -2)")
                                                              (("2"
                                                                (split -5)
                                                                (("1"
                                                                  (expand "dbl"
 )
                                                                  (("1"
                                                                    (propax)
                                                                    nil
                                                                    nil))
                                                                  nil)
                                                                 ("2"
                                                                  (inst
                                                                   1
                                                                   "dbl[T](seq(
 w!1)(l(w!1) - 2),seq(w!1)(l(w!1) - 1))")
                                                                  (("1"
                                                                    (split 1)
                                                                    (("1"
                                                                      (expand
                                                                       "inciden
 t_edges")
                                                                      (("1"
                                                                        (expand
                                                                         "dbl")
                                                                        (("1"
                                                                          (prop
 ax)
                                                                          nil
                                                                          nil))
                                                                        nil))
                                                                      nil)
                                                                     ("2"
                                                                      (expand
                                                                       "dbl")
                                                                      (("2"
                                                                        (propax
 )
                                                                        nil
                                                                        nil))
                                                                      nil)
                                                                     ("3"
                                                                      (assert)
                                                                      nil
                                                                      nil))
                                                                    nil)
                                                                   ("2"
                                                                    (inst?)
                                                                    (("2"
                                                                      (assert)
                                                                      nil
                                                                      nil))
                                                                    nil))
                                                                  nil))
                                                                nil))
                                                              nil))
                                                            nil))
                                                          nil))
                                                        nil))
                                                      nil))
                                                    nil))
                                                  nil))
                                                nil))
                                              nil))
                                            nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil))
                        nil)
                       ("2" (hide -1 4)
                        (("2" (expand "separates")
                          (("2" (expand "adj_verts")
                            (("2" (prop)
                              (("1" (expand "incident_edges")
                                (("1" (skosimp*)
                                  (("1" (expand "edge?")
                                    (("1" (assert)
                                      (("1" (lemma "edge_has_2_verts")
                                        (("1"
                                          (inst?)
                                          (("1"
                                            (inst -1 "e!1")
                                            (("1" (assert) nil nil))
                                            nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil))
                                nil)
                               ("2" (skosimp*)
                                (("2" (expand "walk_from?")
                                  (("2" (flatten)
                                    (("2" (expand "walk?")
                                      (("2" (flatten)
                                        (("2"
                                          (inst -4 "0")
                                          (("2"
                                            (assert)
                                            (("2"
                                              (expand "del_verts")
                                              (("2"
                                                (expand "edge?")
                                                (("2"
                                                  (expand "fseq")
                                                  (("2"
                                                    (flatten)
                                                    (("2"
                                                      (inst -5 "seq(w!1)(1)")
                                                      (("2"
                                                        (split -5)
                                                        (("1"
                                                          (expand "dbl")
                                                          (("1"
                                                            (propax)
                                                            nil
                                                            nil))
                                                          nil)
                                                         ("2"
                                                          (inst
                                                           1
                                                           "dbl[T](seq(w!1)(0),
 seq(w!1)(1))")
                                                          (("1"
                                                            (expand
                                                             "incident_edges")
                                                            (("1"
                                                              (expand "dbl")
                                                              (("1"
                                                                (assert)
                                                                nil
                                                                nil))
                                                              nil))
                                                            nil)
                                                           ("2"
                                                            (inst?)
                                                            (("2"
                                                              (assert)
                                                              nil
                                                              nil))
                                                            nil))
                                                          nil))
                                                        nil))
                                                      nil))
                                                    nil))
                                                  nil))
                                                nil))
                                              nil))
                                            nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((separable? const-decl "bool" sep_sets nil)
      (min_sep_set_card formula-decl nil sep_sets nil)
      (is_finite const-decl "bool" finite_sets nil)
      (separates const-decl "bool" sep_sets nil)
      (number nonempty-type-decl nil numbers nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (<= const-decl "bool" reals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (int nonempty-type-eq-decl nil integers nil)
      (>= const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (Card const-decl "nat" finite_sets nil)
      (card const-decl "{n: nat | n = Card(S)}" finite_sets nil)
      (min_sep_set const-decl "finite_set[T]" sep_sets nil)
      (w!1 skolem-const-decl "prewalk[T]" sep_sets nil)
      (adj_verts_lem formula-decl nil sep_sets nil)
      (min const-decl "{p: real | p <= m AND p <= n}" real_defs nil)
      (sep_num const-decl "nat" sep_sets nil)
      (incident_edges const-decl "finite_set[doubleton[T]]" graph_deg nil)
      (edge? const-decl "bool" graphs nil) (Dbl type-eq-decl nil doubletons nil
 )
      (edge_has_2_verts formula-decl nil graphs nil)
      (walk_from? const-decl "bool" walks nil)
      (walk? const-decl "bool" walks nil)
      (verts_in? const-decl "bool" walks nil)
      (w!1 skolem-const-decl "prewalk[T]" sep_sets nil)
      (numfield nonempty-type-eq-decl nil number_fields nil)
      (- const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (below type-eq-decl nil nat_types nil)
      (finite_seq type-eq-decl nil seq_def nil) (> const-decl "bool" reals nil)
      (prewalk type-eq-decl nil walks nil)
      (fseq const-decl "[below[l(fs)] -> T]" seq_def nil)
      (del_verts const-decl "graph[T]" sep_sets nil)
      (adj_verts const-decl "finite_set[T]" sep_sets nil)
      (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (pregraph type-eq-decl nil graphs nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (T formal-type-decl nil sep_sets nil))
     4629 930 nil nil)))
  
  
  $$$seq_def.pvs
  seq_def[T: TYPE]: THEORY
  BEGIN
  
    finite_seq: TYPE = [# l: nat, seq: [below[l] -> T] #]
  
    fs, fs1, fs2, fs3: VAR finite_seq
    m, n: VAR nat
  
    fin_seq(n): TYPE = {fs | l(fs) = n}
  
    fseq(fs): MACRO [below[l(fs)] -> T] = seq(fs)
  
    CONVERSION fseq ;
  
    o(fs1, fs2): finite_seq =
       LET l1 = l(fs1),
           lsum = l1 + l(fs2)
        IN (# l := lsum,
              seq := (LAMBDA (n:below[lsum]):
                        IF n < l1
                           THEN seq(fs1)(n)
                           ELSE seq(fs2)(n-l1)
                        ENDIF) #);
  
    emptyarr(x: below[0]): T
  
    emptyseq: fin_seq(0) = (# l := 0, seq := emptyarr #) ;
  
   
    p: VAR [nat, nat] ;
  
  
    ^(fs: finite_seq, (p: [nat, below(l(fs))])): 
         fin_seq(IF proj_1(p) > proj_2(p) THEN 0 
                 ELSE proj_2(p)-proj_1(p)+1 ENDIF) =
      LET (m, n) = p
       IN IF m > n 
          THEN emptyseq
          ELSE (# l := n-m+1,
                  seq := (LAMBDA (x: below[n-m+1]): seq(fs)(x + m)) #)
          ENDIF ;
  
    rev(fs): finite_seq = (# l := l(fs),
                             seq := (LAMBDA (i: below(l(fs))): seq(fs)(l(fs)-1-
 i))
                           #)
  
  %%  ^(fs: finite_seq, (p: [m: nat, {n: nat | n >= m AND n < l(fs)}])): 
  %%       fin_seq(proj_2(p)-proj_1(p)+1) =
  %%    LET (m, n) = p IN
  %%             (# l   := n-m+1,
  %%                seq := (LAMBDA (x: below[n-m+1]): seq(fs)(x + m)) #) ;
  %
  %
  %  ^^(fs, p): finite_seq =
  %    LET (m, n) = p
  %     IN IF m > n OR m >= l(fs)
  %        THEN emptyseq
  %        ELSE LET len = IF n < l(fs)  THEN n - m + 1
  %                       ELSE l(fs) - m ENDIF
  %              IN (# l := len,
  %                    seq := (LAMBDA (x: below[len]): seq(fs)(x + m)) #)
  %        ENDIF ;
  %
  %  i,j: VAR nat 
  %  extractors_eq: LEMMA j < l(fs) IMPLIES fs^(i,j) = fs^^(i,j)
  
  
  END seq_def
  
  
  
  $$$seq_def.prf
  (|seq_def| (|oh_TCC1| "" (SUBTYPE-TCC) NIL) (|oh_TCC2| "" (SUBTYPE-TCC) NIL)
   (|emptyarr_TCC1| "" (INST 1 "(LAMBDA (x: below[0]): epsilon! (t:T): true)") 
 (("" (SKOSIMP*) NIL)))
   (|emptyseq_TCC1| "" (PROPAX) NIL) (|caret_TCC1| "" (SUBTYPE-TCC) NIL) (|care
 t_TCC2| "" (SUBTYPE-TCC) NIL)
   (|caret_TCC3| "" (SUBTYPE-TCC) NIL) (|caret_TCC4| "" (SUBTYPE-TCC) NIL) (|ca
 ret_TCC5| "" (SUBTYPE-TCC) NIL)
   (|rev_TCC1| "" (SUBTYPE-TCC) NIL))
  
  $$$walks.pvs
  
  walks[T: TYPE]: THEORY
  
  BEGIN
  
     IMPORTING graphs[T], seq_def, finite_sets@finite_sets_eq
  
     G,GG: VAR graph[T]
     n: VAR nat
     x,u,v,u1,u2,v1,v2,v3: VAR T
     e: VAR doubleton[T]
     i,j: VAR nat
  
     prewalk: TYPE = {w: finite_seq[T] | l(w) > 0}
  
     s,ps,ww: VAR prewalk
  
     verts_in?(G,s): bool = (FORALL (i: below(l(s))): vert(G)(seq(s)(i)))
     
     Seq(G): TYPE = {w: prewalk | verts_in?(G,w)}
  
     walk?(G,ps): bool = verts_in?(G,ps) AND
                               (FORALL n: n < l(ps) - 1 IMPLIES
                                           edge?(G)(ps(n),ps(n+1)))
  
     Walk(G): TYPE = {w: prewalk | walk?(G,w)}
  
     from?(ps,u,v): bool = seq(ps)(0) = u AND seq(ps)(l(ps) - 1) = v
  
     walk_from?(G,ps,u,v): bool =
  	          seq(ps)(0) = u AND seq(ps)(l(ps) - 1) = v AND walk?(G,ps)
  
     Walk_from(G,u,v): TYPE = {w: prewalk | walk_from?(G,w,u,v)}
  
  
     verts_of(ww: prewalk): finite_set[T] = 
                 {t: T | (EXISTS (i: below(l(ww))): ww(i) = t)}
  
     edges_of(ww): finite_set[doubleton[T]] = {e: doubleton[T] |
                             EXISTS (i: below(l(ww)-1)): e = dbl(ww(i),ww(i+1))
 }
  
  
     pre_circuit?(G: graph[T], w: prewalk): bool = walk?(G,w) AND 
                                                   w(0) = w(l(w)-1)
  
  %  ----------------------- Properties -----------------------
  
     verts_in?_concat: LEMMA FORALL (s1,s2: Seq(G)): verts_in?(G,s1 o s2)
  
     verts_in?_caret : LEMMA FORALL (j: below(l(ps))): i <= j IMPLIES
                                     verts_in?(G,ps) IMPLIES verts_in?(G,ps^(i,
 j))
  
    
     vert_seq_lem    : LEMMA FORALL (w: Seq(G)): n < l(w) IMPLIES vert(G)(w(n))
  
     verts_of_subset : LEMMA FORALL (w: Seq(G)):
                                     subset?(verts_of(w),vert(G))
  
  
     edges_of_subset : LEMMA walk?(G,ww) IMPLIES subset?(edges_of(ww),edges(G))
  
     walk_verts_in   : LEMMA walk?(G,ps) IMPLIES verts_in?(G,ps)
  
  
     walk_from_vert  : LEMMA FORALL (w: prewalk,v1,v2:T):
                               walk_from?(G,w,v1,v2) IMPLIES
                                  vert(G)(v1) AND vert(G)(v2)
  
     walk_edge_in    : LEMMA walk?(G,ww) AND 
                             subset?(edges_of(ww),edges(GG)) AND
                             subset?(verts_of(ww),vert(GG))
                           IMPLIES walk?(GG,ww)
    
  %  ----------- operations and constructors for walks --------------------
  
     gen_seq1(G, (u: (vert(G)))): Seq(G) = 
                          (# l := 1, seq := (LAMBDA (i: below(1)): u) #)
  
     gen_seq2(G, (u,v: (vert(G)))): Seq(G) = 
                    (# l := 2,
                       seq := (LAMBDA (i: below(2)):
                                        IF i = 0 THEN u ELSE v ENDIF) #)
     
     Longprewalk: TYPE = {ps: prewalk | l(ps) >= 2}
     
     trunc1(p: Longprewalk ): prewalk = p^(0,l(p)-2)
  
     add1(ww,x): prewalk = (# l := l(ww) + 1,
                             seq := (LAMBDA (ii: below(l(ww) + 1)):
                                      IF ii < l(ww) THEN seq(ww)(ii) ELSE x END
 IF)
                           #)
  
  
     gen_seq1_is_walk: LEMMA vert(G)(x) IMPLIES walk?(G,gen_seq1(G,x))
  
     edge_to_walk    : LEMMA u /= v AND edges(G)(edg[T](u, v)) IMPLIES
                               walk?(G,gen_seq2(G,u,v))
  
  
     walk?_rev       : LEMMA walk?(G,ps) IMPLIES walk?(G,rev(ps))
  
     
  
     w1,w2: VAR prewalk
     walk?_reverse   : LEMMA walk_from?(G,w1,v1,v2) IMPLIES
                               (EXISTS (w: Walk(G)): walk_from?(G,w,v2,v1))
  
     walk?_caret     : LEMMA i <= j AND j < l(ps) AND walk?(G,ps) 
                                 IMPLIES walk?(G,ps^(i,j))
  
  
  
     l_trunc1        : LEMMA l(ww) > 1 IMPLIES l(trunc1(ww)) = l(ww)-1
  
     
     walk?_add1      : LEMMA walk?(G,ww) AND vert(G)(x)
                             AND edge?(G)(seq(ww)(l(ww)-1),x)
                             IMPLIES walk?(G,add1(ww,x))                      
  
  
     walk_concat_edge: LEMMA walk_from?(G, w1, u1, v1) AND
           		           walk_from?(G, w2, u2, v2) AND
                                edge?(G)(v1,u2)
           		        IMPLIES
           		            walk_from?(G, w1 o w2,u1,v2)
  
     walk_concat: LEMMA l(w1) > 1 AND
        		      walk_from?(G, w1, u1, v) AND
        		      walk_from?(G, w2, u2, v)
        		 IMPLIES
        		     walk_from?(G, w1 ^ (0, l(w1) - 2) o rev(w2),u1,u2)
  
     walk?_cut  : LEMMA FORALL (i,j: below(l(ps))): i < j AND
                                    seq(ps)(i) = seq(ps)(j) AND
                                    walk_from?(G, ps, u, v)
                                 IMPLIES
                                    walk_from?(G, ps^(0,i) o ps^(j+1,l(ps)-1),u
 ,v)
  
     yt: VAR T
     p1,p2: VAR prewalk
     walk_merge: LEMMA walk_from?(G, p1, v, yt) AND
        	             walk_from?(G, p2, u, yt)
                             IMPLIES
        	                (EXISTS (p: prewalk): walk_from?(G, p, u, v))
  
  
    AUTO_REWRITE+ l_trunc1         % l(ww) > 1 IMPLIES l(trunc1(ww)) = l(ww)-1
    AUTO_REWRITE+ vert_seq_lem     % n < l(w) IMPLIES vert(G)(w(n))
    AUTO_REWRITE+ verts_of_subset  % subset?(verts_of(w),vert(G))
    AUTO_REWRITE+ edges_of_subset  % walk?(ww) -> subset?(edges_of(ww),edges(G)
 )
    AUTO_REWRITE+ walk_verts_in    % walk?(G,ps) IMPLIES verts_in?(G,ps)
  
  END walks
  
  
  $$$walks.prf
  (walks
   (walk?_TCC1 0
    (walk?_TCC1-1 nil 3262701974 3262702173 ("" (subtype-tcc) nil nil) proved
     ((boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (T formal-type-decl nil walks nil) (set type-eq-decl nil sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (pregraph type-eq-decl nil graphs nil) (graph type-eq-decl nil graphs nil
 )
      (number nonempty-type-decl nil numbers nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (> const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (below type-eq-decl nil nat_types nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (prewalk type-eq-decl nil walks nil) (>= const-decl "bool" reals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (int nonempty-type-eq-decl nil integers nil)
      (verts_in? const-decl "bool" walks nil))
     174 180 nil nil))
   (walk?_TCC2 0
    (walk?_TCC2-1 nil 3262701974 3262702174 ("" (subtype-tcc) nil nil) proved
     ((boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (T formal-type-decl nil walks nil) (set type-eq-decl nil sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (pregraph type-eq-decl nil graphs nil) (graph type-eq-decl nil graphs nil
 )
      (number nonempty-type-decl nil numbers nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (> const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (below type-eq-decl nil nat_types nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (prewalk type-eq-decl nil walks nil) (>= const-decl "bool" reals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (int nonempty-type-eq-decl nil integers nil)
      (verts_in? const-decl "bool" walks nil))
     370 310 nil nil))
   (from?_TCC1 0
    (from?_TCC1-1 nil 3262701974 3262702174 ("" (subtype-tcc) nil nil) proved
     nil 27 20 nil nil))
   (from?_TCC2 0
    (from?_TCC2-1 nil 3262701974 3262702174 ("" (subtype-tcc) nil nil) proved
     nil 32 30 nil nil))
   (verts_of_TCC1 0
    (verts_of_TCC1-1 nil 3262701974 3263027946
     ("" (skosimp*)
      (("" (lemma "surjection_from_finite_set[below(l(ww!1)),T]")
        (("" (inst?)
          (("" (inst -1 "fullset[below(l(ww!1))]")
            (("1" (assert)
              (("1" (hide 2)
                (("1" (inst 1 "(LAMBDA (i: below(l(ww!1))): seq(ww!1)(i))")
                  (("1" (expand "restrict")
                    (("1" (expand "surjective?")
                      (("1" (skosimp*)
                        (("1" (typepred "y!1")
                          (("1" (skosimp*)
                            (("1" (inst?)
                              (("1" (assert)
                                (("1" (expand "fullset")
                                  (("1" (propax) nil nil)) nil))
                                nil))
                              nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil)
                   ("2" (skosimp*) (("2" (inst?) nil nil)) nil)
                   ("3" (skosimp*) (("3" (inst?) nil nil)) nil))
                  nil))
                nil))
              nil)
             ("2" (hide 2)
              (("2" (expand "is_finite")
                (("2" (inst 1 "l(ww!1)" "(LAMBDA (ii: below(l(ww!1))): ii)")
                  (("2" (expand "injective?")
                    (("2" (expand "restrict") (("2" (propax) nil nil)) nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((below type-eq-decl nil naturalnumbers nil)
      (prewalk type-eq-decl nil walks nil) (> const-decl "bool" reals nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (T formal-type-decl nil walks nil) (below type-eq-decl nil nat_types nil)
      (< const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (>= const-decl "bool" reals nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (boolean nonempty-type-decl nil booleans nil)
      (number nonempty-type-decl nil numbers nil)
      (surjection_from_finite_set formula-decl nil finite_sets_eq
       "finite_sets/")
      (fullset const-decl "set" sets nil)
      (is_finite const-decl "bool" finite_sets nil)
      (ww!1 skolem-const-decl "prewalk" walks nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (i!1 skolem-const-decl "below(l(ww!1))" walks nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (surjective? const-decl "bool" functions nil)
      (restrict const-decl "R" restrict nil)
      (injective? const-decl "bool" functions nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (set type-eq-decl nil sets nil))
     74143 20550 t nil))
   (edges_of_TCC1 0
    (edges_of_TCC1-1 nil 3262701974 3262702174 ("" (subtype-tcc) nil nil) prove
 d
     nil 47 50 nil nil))
   (edges_of_TCC2 0
    (edges_of_TCC2-1 nil 3262701974 3262702174 ("" (subtype-tcc) nil nil) prove
 d
     nil 46 50 nil nil))
   (edges_of_TCC3 0
    (edges_of_TCC3-1 nil 3262701974 3262702175
     ("" (skosimp*)
      (("" (expand "is_finite")
        ((""
          (inst 1 "l(ww!1) - 1" "(LAMBDA (e: {e: doubleton[T] |
             EXISTS (i: below(l(ww!1) - 1)):
               e = dbl[T](fseq[T](ww!1)(i), fseq[T](ww!1)(i + 1))}): 
          choose({i: below(l(ww!1) - 1) | 
                     e = dbl[T](fseq[T](ww!1)(i), fseq[T](ww!1)(i + 1))}))")
          (("1" (expand "injective?")
            (("1" (skosimp*) (("1" (assert) nil nil)) nil)) nil)
           ("2" (skosimp*)
            (("2" (expand "nonempty?")
              (("2" (expand "empty?")
                (("2" (expand "member")
                  (("2" (expand "fseq")
                    (("2" (typepred "ww!1")
                      (("2" (typepred "e!1")
                        (("2" (skosimp*)
                          (("2" (inst -4 "i!1")
                            (("2" (expand "fseq") (("2" (propax) nil nil)) nil)
 )
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((is_finite const-decl "bool" finite_sets nil)
      (empty? const-decl "bool" sets nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (member const-decl "bool" sets nil)
      (injective? const-decl "bool" functions nil)
      (choose const-decl "(p)" sets nil) (T formal-type-decl nil walks nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (number nonempty-type-decl nil numbers nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (int nonempty-type-eq-decl nil integers nil)
      (>= const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (< const-decl "bool" reals nil)
      (numfield nonempty-type-eq-decl nil number_fields nil)
      (- const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (below type-eq-decl nil nat_types nil)
      (finite_seq type-eq-decl nil seq_def nil) (> const-decl "bool" reals nil)
      (prewalk type-eq-decl nil walks nil)
      (ww!1 skolem-const-decl "prewalk" walks nil)
      (below type-eq-decl nil naturalnumbers nil)
      (+ const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (nonempty? const-decl "bool" sets nil))
     709 630 nil nil))
   (pre_circuit?_TCC1 0
    (pre_circuit?_TCC1-1 nil 3262701974 3262702175 ("" (subtype-tcc) nil nil)
     proved
     ((verts_in? const-decl "bool" walks nil)
      (/= const-decl "boolean" notequal nil) (T formal-type-decl nil walks nil)
      (edge? const-decl "bool" graphs nil) (walk? const-decl "bool" walks nil))
     94 80 nil nil))
   (pre_circuit?_TCC2 0
    (pre_circuit?_TCC2-1 nil 3262701974 3262702175 ("" (subtype-tcc) nil nil)
     proved
     ((verts_in? const-decl "bool" walks nil)
      (/= const-decl "boolean" notequal nil) (T formal-type-decl nil walks nil)
      (edge? const-decl "bool" graphs nil) (walk? const-decl "bool" walks nil))
     129 90 nil nil))
   (verts_in?_concat_TCC1 0
    (verts_in?_concat_TCC1-1 nil 3262701974 3262702176
     ("" (subtype-tcc) nil nil) proved ((O const-decl "finite_seq" seq_def nil)
 )
     235 240 nil nil))
   (verts_in?_concat 0
    (verts_in?_concat-1 nil 3262701974 3262702176
     ("" (skosimp*)
      (("" (expand "verts_in?")
        (("" (skosimp*)
          (("" (typepred "i!1")
            (("" (expand "o ")
              (("" (ground)
                (("1" (typepred "s1!1")
                  (("1" (expand "verts_in?") (("1" (inst?) nil nil)) nil)) nil)
                 ("2" (typepred "s2!1")
                  (("2" (expand "verts_in?") (("2" (inst?) nil nil)) nil)) nil)
 )
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((verts_in? const-decl "bool" walks nil)
      (below type-eq-decl nil naturalnumbers nil)
      (Seq type-eq-decl nil walks nil) (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (pregraph type-eq-decl nil graphs nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil) (prewalk type-eq-decl nil walks nil)
      (> const-decl "bool" reals nil) (O const-decl "finite_seq" seq_def nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (T formal-type-decl nil walks nil) (below type-eq-decl nil nat_types nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (>= const-decl "bool" reals nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (< const-decl "bool" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number nonempty-type-decl nil numbers nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (numfield nonempty-type-eq-decl nil number_fields nil)
      (- const-decl "[numfield, numfield -> numfield]" number_fields nil))
     487 460 nil nil))
   (verts_in?_caret_TCC1 0
    (verts_in?_caret_TCC1-1 nil 3262701974 3262702176
     ("" (skosimp*)
      (("" (expand "verts_in?")
        (("" (expand "^")
          (("" (expand "emptyseq") (("" (lift-if) (("" (ground) nil nil)) nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((verts_in? const-decl "bool" walks nil)
      (emptyseq const-decl "fin_seq(0)" seq_def nil)
      (^ const-decl "fin_seq(IF PROJ_1(p) > PROJ_2(p) THEN 0
          ELSE PROJ_2(p) - PROJ_1(p) + 1
          ENDIF)" seq_def nil))
     393 360 nil nil))
   (verts_in?_caret 0
    (verts_in?_caret-1 nil 3262701974 3262702177
     ("" (skosimp*)
      (("" (expand "verts_in?")
        (("" (skosimp*)
          (("" (inst?)
            (("1" (typepred "i!2")
              (("1" (expand "^")
                (("1" (expand "emptyseq")
                  (("1" (lift-if)
                    (("1" (ground)
                      (("1" (typepred "i!2")
                        (("1" (expand "^")
                          (("1" (typepred "j!1")
                            (("1" (reveal -1) (("1" (inst?) nil nil)) nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil)
             ("2" (typepred "i!1")
              (("2" (typepred "i!2")
                (("2" (expand "^")
                  (("2" (lift-if)
                    (("2" (expand "emptyseq") (("2" (ground) nil nil)) nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((verts_in? const-decl "bool" walks nil)
      (ps!1 skolem-const-decl "prewalk" walks nil)
      (prewalk type-eq-decl nil walks nil) (> const-decl "bool" reals nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (T formal-type-decl nil walks nil) (below type-eq-decl nil nat_types nil)
      (i!1 skolem-const-decl "nat" walks nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (>= const-decl "bool" reals nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (< const-decl "bool" reals nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (boolean nonempty-type-decl nil booleans nil)
      (number nonempty-type-decl nil numbers nil)
      (below type-eq-decl nil naturalnumbers nil)
      (emptyseq const-decl "fin_seq(0)" seq_def nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (numfield nonempty-type-eq-decl nil number_fields nil)
      (IF const-decl "[boolean, T, T -> T]" if_def nil)
      (+ const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (- const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (fin_seq type-eq-decl nil seq_def nil)
      (^ const-decl "fin_seq(IF PROJ_1(p) > PROJ_2(p) THEN 0
          ELSE PROJ_2(p) - PROJ_1(p) + 1
          ENDIF)" seq_def nil))
     752 710 nil nil))
   (vert_seq_lem 0
    (vert_seq_lem-1 nil 3262701974 3262702177
     ("" (skosimp*)
      (("" (expand "fseq")
        (("" (typepred "w!1")
          (("" (expand "verts_in?") (("" (inst - "n!1") nil nil)) nil)) nil))
        nil))
      nil)
     proved
     ((Seq type-eq-decl nil walks nil) (verts_in? const-decl "bool" walks nil)
      (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (pregraph type-eq-decl nil graphs nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil) (prewalk type-eq-decl nil walks nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (T formal-type-decl nil walks nil) (below type-eq-decl nil nat_types nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (> const-decl "bool" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number nonempty-type-decl nil numbers nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (int nonempty-type-eq-decl nil integers nil)
      (>= const-decl "bool" reals nil) (< const-decl "bool" reals nil)
      (below type-eq-decl nil naturalnumbers nil)
      (w!1 skolem-const-decl "Seq(G!1)" walks nil)
      (G!1 skolem-const-decl "graph[T]" walks nil)
      (n!1 skolem-const-decl "nat" walks nil))
     101 70 nil nil))
   (verts_of_subset 0
    (verts_of_subset-1 nil 3262701974 3262702177
     ("" (skosimp*)
      (("" (typepred "w!1")
        (("" (expand "subset?")
          (("" (skosimp*)
            (("" (expand "verts_in?")
              (("" (expand "member")
                (("" (expand "verts_of")
                  (("" (skosimp*)
                    (("" (expand "fseq")
                      (("" (inst?) (("" (assert) nil nil)) nil)) nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((Seq type-eq-decl nil walks nil) (verts_in? const-decl "bool" walks nil)
      (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (pregraph type-eq-decl nil graphs nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil) (prewalk type-eq-decl nil walks nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (T formal-type-decl nil walks nil) (below type-eq-decl nil nat_types nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (> const-decl "bool" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number nonempty-type-decl nil numbers nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (member const-decl "bool" sets nil)
      (below type-eq-decl nil naturalnumbers nil)
      (< const-decl "bool" reals nil) (>= const-decl "bool" reals nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (verts_of const-decl "finite_set[T]" walks nil)
      (subset? const-decl "bool" sets nil))
     104 100 nil nil))
   (edges_of_subset 0
    (edges_of_subset-1 nil 3262701974 3262702178
     ("" (skosimp*)
      (("" (expand "subset?")
        (("" (skosimp*)
          (("" (expand "member")
            (("" (expand "edges_of")
              (("" (expand "fseq")
                (("" (skosimp*)
                  (("" (replace -2)
                    (("" (hide -2)
                      (("" (expand "walk?")
                        (("" (flatten)
                          (("" (inst - "i!1")
                            (("" (assert)
                              (("" (expand "edge?")
                                (("" (expand "fseq") (("" (propax) nil nil))
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((subset? const-decl "bool" sets nil) (member const-decl "bool" sets nil)
      (edge? const-decl "bool" graphs nil)
      (below type-eq-decl nil naturalnumbers nil)
      (prewalk type-eq-decl nil walks nil) (> const-decl "bool" reals nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (T formal-type-decl nil walks nil) (below type-eq-decl nil nat_types nil)
      (- const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (numfield nonempty-type-eq-decl nil number_fields nil)
      (< const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (>= const-decl "bool" reals nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (boolean nonempty-type-decl nil booleans nil)
      (number nonempty-type-decl nil numbers nil)
      (walk? const-decl "bool" walks nil)
      (edges_of const-decl "finite_set[doubleton[T]]" walks nil))
     328 290 nil nil))
   (walk_verts_in 0
    (walk_verts_in-1 nil 3262701974 3262702178
     ("" (skosimp*) (("" (expand "walk?") (("" (flatten) nil nil)) nil)) nil)
     proved ((walk? const-decl "bool" walks nil)) 47 50 nil nil))
   (walk_from_vert 0
    (walk_from_vert-1 nil 3262701974 3262702178
     ("" (skosimp*)
      (("" (expand "walk_from?")
        (("" (flatten)
          (("" (expand "walk?")
            (("" (flatten)
              (("" (expand "verts_in?")
                (("" (inst-cp -3 "0")
                  (("" (inst -3 "l(w!1)-1") (("" (assert) nil nil)) nil)) nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((walk_from? const-decl "bool" walks nil)
      (walk? const-decl "bool" walks nil)
      (verts_in? const-decl "bool" walks nil)
      (- const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (numfield nonempty-type-eq-decl nil number_fields nil)
      (below type-eq-decl nil naturalnumbers nil)
      (prewalk type-eq-decl nil walks nil) (> const-decl "bool" reals nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (T formal-type-decl nil walks nil) (below type-eq-decl nil nat_types nil)
      (< const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (>= const-decl "bool" reals nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (boolean nonempty-type-decl nil booleans nil)
      (number nonempty-type-decl nil numbers nil))
     155 130 nil nil))
   (walk_edge_in 0
    (walk_edge_in-1 nil 3262701974 3262702178
     ("" (skosimp*)
      (("" (expand "walk?")
        (("" (flatten)
          (("" (split 1)
            (("1" (hide -2)
              (("1" (expand "verts_in?")
                (("1" (skosimp*)
                  (("1" (inst?)
                    (("1" (expand "verts_of")
                      (("1" (hide -2)
                        (("1" (expand "subset?")
                          (("1" (expand "member")
                            (("1" (inst?)
                              (("1" (split -2)
                                (("1" (propax) nil nil)
                                 ("2" (inst?)
                                  (("2" (expand "fseq") (("2" (propax) nil nil)
 )
                                    nil))
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil)
             ("2" (skosimp*)
              (("2" (hide -5)
                (("2" (expand "subset?")
                  (("2" (expand "member")
                    (("2" (inst?)
                      (("2" (assert)
                        (("2" (expand "edge?")
                          (("2" (flatten)
                            (("2" (inst?)
                              (("1" (expand "edges_of")
                                (("1" (split -4)
                                  (("1" (assert) nil nil) ("2" (inst?) nil nil)
 )
                                  nil))
                                nil)
                               ("2" (inst?) (("2" (assert) nil nil)) nil))
                              nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((walk? const-decl "bool" walks nil)
      (verts_in? const-decl "bool" walks nil)
      (number nonempty-type-decl nil numbers nil)
      (boolean nonempty-type-decl nil booleans nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (int nonempty-type-eq-decl nil integers nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (>= const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (< const-decl "bool" reals nil) (below type-eq-decl nil nat_types nil)
      (T formal-type-decl nil walks nil)
      (finite_seq type-eq-decl nil seq_def nil) (> const-decl "bool" reals nil)
      (prewalk type-eq-decl nil walks nil)
      (below type-eq-decl nil naturalnumbers nil)
      (member const-decl "bool" sets nil) (subset? const-decl "bool" sets nil)
      (verts_of const-decl "finite_set[T]" walks nil)
      (edges_of const-decl "finite_set[doubleton[T]]" walks nil)
      (- const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (doubleton type-eq-decl nil doubletons nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil) (set type-eq-decl nil sets nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (ww!1 skolem-const-decl "prewalk" walks nil)
      (n!1 skolem-const-decl "nat" walks nil)
      (numfield nonempty-type-eq-decl nil number_fields nil)
      (+ const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (edge? const-decl "bool" graphs nil))
     485 460 nil nil))
   (gen_seq1_TCC1 0
    (gen_seq1_TCC1-1 nil 3262701974 3262702179
     ("" (skosimp*) (("" (expand "verts_in?") (("" (propax) nil nil)) nil)) nil
 )
     proved ((verts_in? const-decl "bool" walks nil)) 61 50 nil nil))
   (gen_seq2_TCC1 0
    (gen_seq2_TCC1-1 nil 3262701974 3262702179
     ("" (skosimp*) (("" (expand "verts_in?") (("" (propax) nil nil)) nil)) nil
 )
     proved ((verts_in? const-decl "bool" walks nil)) 51 50 nil nil))
   (trunc1_TCC1 0
    (trunc1_TCC1-1 nil 3262701974 3262702179 ("" (subtype-tcc) nil nil) proved
     nil 31 30 nil nil))
   (trunc1_TCC2 0
    (trunc1_TCC2-1 nil 3262701974 3262702179 ("" (subtype-tcc) nil nil) proved
     ((^ const-decl "fin_seq(IF PROJ_1(p) > PROJ_2(p) THEN 0
          ELSE PROJ_2(p) - PROJ_1(p) + 1
          ENDIF)" seq_def nil))
     189 190 nil nil))
   (add1_TCC1 0
    (add1_TCC1-1 nil 3262701974 3262702179 ("" (subtype-tcc) nil nil) proved ni
 l
     30 30 nil nil))
   (gen_seq1_is_walk 0
    (gen_seq1_is_walk-1 nil 3262701974 3262702179
     ("" (skosimp*)
      (("" (expand "gen_seq1")
        (("" (expand "walk?")
          (("" (expand "verts_in?") (("" (skosimp*) nil nil)) nil)) nil))
        nil))
      nil)
     proved
     ((gen_seq1 const-decl "Seq(G)" walks nil)
      (verts_in? const-decl "bool" walks nil)
      (walk? const-decl "bool" walks nil))
     96 70 nil nil))
   (edge_to_walk_TCC1 0
    (edge_to_walk_TCC1-1 nil 3262701974 3262702179 ("" (subtype-tcc) nil nil)
     proved ((/= const-decl "boolean" notequal nil)) 36 40 nil nil))
   (edge_to_walk_TCC2 0
    (edge_to_walk_TCC2-1 nil 3262701974 3262702179
     ("" (skosimp*)
      (("" (expand "edg")
        (("" (typepred "G!1")
          (("" (inst?)
            (("1" (assert)
              (("1" (inst?)
                (("1" (hide -2)
                  (("1" (expand "dbl") (("1" (propax) nil nil)) nil)) nil))
                nil))
              nil)
             ("2" (inst?) (("2" (assert) nil nil)) nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((edg const-decl "doubleton[T]" graphs nil)
      (u!1 skolem-const-decl "T" walks nil)
      (v!1 skolem-const-decl "T" walks nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (T formal-type-decl nil walks nil) (set type-eq-decl nil sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (pregraph type-eq-decl nil graphs nil)
      (graph type-eq-decl nil graphs nil))
     107 110 nil nil))
   (edge_to_walk_TCC3 0
    (edge_to_walk_TCC3-1 nil 3262701974 3262702179
     ("" (skosimp*)
      (("" (typepred "G!1")
        (("" (inst?)
          (("1" (assert)
            (("1" (inst -1 "v!1")
              (("1" (expand "edg")
                (("1" (expand "dbl") (("1" (propax) nil nil)) nil)) nil))
              nil))
            nil)
           ("2" (assert) nil nil))
          nil))
        nil))
      nil)
     proved
     ((graph type-eq-decl nil graphs nil) (pregraph type-eq-decl nil graphs nil
 )
      (finite_set type-eq-decl nil finite_sets nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil) (T formal-type-decl nil walks nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (edg const-decl "doubleton[T]" graphs nil)
      (u!1 skolem-const-decl "T" walks nil)
      (v!1 skolem-const-decl "T" walks nil))
     115 80 nil nil))
   (edge_to_walk 0
    (edge_to_walk-1 nil 3262701974 3262702179
     ("" (skosimp*)
      (("" (expand "walk?")
        (("" (expand "gen_seq2")
          (("" (split 2)
            (("1" (expand "verts_in?") (("1" (propax) nil nil)) nil)
             ("2" (skosimp*)
              (("2" (expand "fseq")
                (("2" (assert)
                  (("2" (expand "edge?")
                    (("2" (expand "edg") (("2" (propax) nil nil)) nil)) nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((walk? const-decl "bool" walks nil)
      (verts_in? const-decl "bool" walks nil)
      (edg const-decl "doubleton[T]" graphs nil)
      (edge? const-decl "bool" graphs nil)
      (gen_seq2 const-decl "Seq(G)" walks nil))
     171 150 nil nil))
   (walk?_rev_TCC1 0
    (walk?_rev_TCC1-1 nil 3262701974 3262702180 ("" (subtype-tcc) nil nil)
     proved
     ((verts_in? const-decl "bool" walks nil)
      (/= const-decl "boolean" notequal nil) (T formal-type-decl nil walks nil)
      (edge? const-decl "bool" graphs nil) (walk? const-decl "bool" walks nil)
      (rev const-decl "finite_seq" seq_def nil))
     141 140 nil nil))
   (walk?_rev 0
    (walk?_rev-1 nil 3262701974 3262702180
     ("" (skosimp*)
      (("" (expand "walk?")
        (("" (flatten)
          (("" (split +)
            (("1" (hide -2)
              (("1" (expand "verts_in?")
                (("1" (skosimp*)
                  (("1" (typepred "i!1")
                    (("1" (expand "rev")
                      (("1" (inst?) (("1" (assert) nil nil)) nil)) nil))
                    nil))
                  nil))
                nil))
              nil)
             ("2" (skosimp*)
              (("2" (expand "fseq")
                (("2" (expand "edge?")
                  (("2" (hide -2)
                    (("2" (expand "rev")
                      (("2" (inst - "l(ps!1) - 2 - n!1")
                        (("1" (assert)
                          (("1" (flatten)
                            (("1" (assert) (("1" (rewrite "dbl_comm") nil nil))
                              nil))
                            nil))
                          nil)
                         ("2" (assert) nil nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((walk? const-decl "bool" walks nil)
      (verts_in? const-decl "bool" walks nil)
      (below type-eq-decl nil naturalnumbers nil)
      (prewalk type-eq-decl nil walks nil) (> const-decl "bool" reals nil)
      (rev const-decl "finite_seq" seq_def nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (T formal-type-decl nil walks nil) (below type-eq-decl nil nat_types nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (>= const-decl "bool" reals nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (< const-decl "bool" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number nonempty-type-decl nil numbers nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (- const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (numfield nonempty-type-eq-decl nil number_fields nil)
      (i!1 skolem-const-decl "below(l(rev(ps!1)))" walks nil)
      (ps!1 skolem-const-decl "prewalk" walks nil)
      (edge? const-decl "bool" graphs nil)
      (dbl_comm formula-decl nil doubletons nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (n!1 skolem-const-decl "nat" walks nil))
     421 380 nil nil))
   (walk?_reverse 0
    (walk?_reverse-1 nil 3262701974 3262702181
     ("" (skosimp*)
      (("" (expand "walk_from?")
        (("" (flatten)
          ((""
            (inst 1 "(# l := l(w1!1),
                    seq := (LAMBDA (i: below(l(w1!1))): seq(w1!1)(l(w1!1)-1-i))
  #)")
            (("1" (assert) nil nil)
             ("2" (expand "walk?")
              (("2" (split)
                (("1" (assert)
                  (("1" (expand "verts_in?")
                    (("1" (skosimp*)
                      (("1" (typepred "w1!1") (("1" (inst?) nil nil)) nil))
                      nil))
                    nil))
                  nil)
                 ("2" (skosimp*)
                  (("2" (expand "fseq")
                    (("2" (lemma "edge?_comm")
                      (("2" (inst?)
                        (("1" (assert)
                          (("1" (hide 2)
                            (("1" (typepred "w1!1")
                              (("1" (inst?) (("1" (assert) nil nil)) nil)) nil)
 )
                            nil))
                          nil)
                         ("2" (assert) nil nil)
                         ("3" (hide 2)
                          (("3" (typepred "n!1") (("3" (assert) nil nil)) nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((walk_from? const-decl "bool" walks nil)
      (- const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (numfield nonempty-type-eq-decl nil number_fields nil)
      (below type-eq-decl nil naturalnumbers nil)
      (< const-decl "bool" reals nil) (>= const-decl "bool" reals nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (w1!1 skolem-const-decl "prewalk" walks nil)
      (G!1 skolem-const-decl "graph[T]" walks nil)
      (walk? const-decl "bool" walks nil) (prewalk type-eq-decl nil walks nil)
      (> const-decl "bool" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number nonempty-type-decl nil numbers nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (below type-eq-decl nil nat_types nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (pregraph type-eq-decl nil graphs nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (T formal-type-decl nil walks nil) (Walk type-eq-decl nil walks nil)
      (verts_in? const-decl "bool" walks nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (edge?_comm formula-decl nil graphs nil)
      (n!1 skolem-const-decl "nat" walks nil))
     486 410 nil nil))
   (walk?_caret_TCC1 0
    (walk?_caret_TCC1-1 nil 3262701974 3262702181 ("" (subtype-tcc) nil nil)
     proved
     ((boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (pregraph type-eq-decl nil graphs nil) (graph type-eq-decl nil graphs nil
 )
      (number nonempty-type-decl nil numbers nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (>= const-decl "bool" reals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (int nonempty-type-eq-decl nil integers nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (> const-decl "bool" reals nil) (below type-eq-decl nil nat_types nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (prewalk type-eq-decl nil walks nil)
      (^ const-decl "fin_seq(IF PROJ_1(p) > PROJ_2(p) THEN 0
          ELSE PROJ_2(p) - PROJ_1(p) + 1
          ENDIF)" seq_def nil)
      (verts_in? const-decl "bool" walks nil)
      (/= const-decl "boolean" notequal nil) (T formal-type-decl nil walks nil)
      (edge? const-decl "bool" graphs nil) (walk? const-decl "bool" walks nil))
     488 450 nil nil))
   (walk?_caret 0
    (walk?_caret-1 nil 3262701974 3262702182
     ("" (skosimp*)
      (("" (expand "walk?")
        (("" (flatten)
          (("" (split +)
            (("1" (rewrite "verts_in?_caret") nil nil)
             ("2" (skosimp*)
              (("2" (expand "fseq")
                (("2" (expand "edge?")
                  (("2" (expand "^")
                    (("2" (assert) (("2" (inst?) (("2" (assert) nil nil)) nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((walk? const-decl "bool" walks nil)
      (below type-eq-decl nil naturalnumbers nil)
      (< const-decl "bool" reals nil) (prewalk type-eq-decl nil walks nil)
      (> const-decl "bool" reals nil) (finite_seq type-eq-decl nil seq_def nil)
      (below type-eq-decl nil nat_types nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (>= const-decl "bool" reals nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number nonempty-type-decl nil numbers nil)
      (graph type-eq-decl nil graphs nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (pregraph type-eq-decl nil graphs nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (T formal-type-decl nil walks nil)
      (verts_in?_caret formula-decl nil walks nil)
      (edge? const-decl "bool" graphs nil)
      (+ const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (numfield nonempty-type-eq-decl nil number_fields nil)
      (^ const-decl "fin_seq(IF PROJ_1(p) > PROJ_2(p) THEN 0
          ELSE PROJ_2(p) - PROJ_1(p) + 1
          ENDIF)" seq_def nil))
     644 590 nil nil))
   (l_trunc1_TCC1 0
    (l_trunc1_TCC1-1 nil 3262701974 3262702182 ("" (subtype-tcc) nil nil) prove
 d
     ((boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (number nonempty-type-decl nil numbers nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (> const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (below type-eq-decl nil nat_types nil) (T formal-type-decl nil walks nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (prewalk type-eq-decl nil walks nil))
     62 70 nil nil))
   (l_trunc1 0
    (l_trunc1-1 nil 3262701974 3262702182
     ("" (skosimp*)
      (("" (expand "trunc1") (("" (expand "^") (("" (assert) nil nil)) nil))
        nil))
      nil)
     proved
     ((trunc1 const-decl "prewalk" walks nil)
      (^ const-decl "fin_seq(IF PROJ_1(p) > PROJ_2(p) THEN 0
          ELSE PROJ_2(p) - PROJ_1(p) + 1
          ENDIF)" seq_def nil))
     169 170 nil nil))
   (walk?_add1 0
    (walk?_add1-1 nil 3262701974 3262702182
     ("" (skosimp*)
      (("" (expand "walk?")
        (("" (flatten)
          (("" (split 1)
            (("1" (expand "verts_in?")
              (("1" (expand "add1")
                (("1" (skosimp*)
                  (("1" (hide -2)
                    (("1" (inst?)
                      (("1" (ground) nil nil) ("2" (assert) nil nil)) nil))
                    nil))
                  nil))
                nil))
              nil)
             ("2" (skosimp*)
              (("2" (expand "fseq")
                (("2" (expand "add1")
                  (("2" (lift-if)
                    (("2" (split 1)
                      (("1" (flatten)
                        (("1" (inst?)
                          (("1" (lift-if) (("1" (ground) nil nil)) nil)) nil))
                        nil)
                       ("2" (flatten) nil nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((walk? const-decl "bool" walks nil) (add1 const-decl "prewalk" walks nil)
      (number nonempty-type-decl nil numbers nil)
      (boolean nonempty-type-decl nil booleans nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (< const-decl "bool" reals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (int nonempty-type-eq-decl nil integers nil)
      (>= const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (below type-eq-decl nil nat_types nil) (T formal-type-decl nil walks nil)
      (finite_seq type-eq-decl nil seq_def nil) (> const-decl "bool" reals nil)
      (prewalk type-eq-decl nil walks nil)
      (ww!1 skolem-const-decl "prewalk" walks nil)
      (x!1 skolem-const-decl "T" walks nil)
      (below type-eq-decl nil naturalnumbers nil)
      (i!1 skolem-const-decl "below(l(add1(ww!1, x!1)))" walks nil)
      (verts_in? const-decl "bool" walks nil))
     489 420 nil nil))
   (walk_concat_edge_TCC1 0
    (walk_concat_edge_TCC1-1 nil 3262701974 3262702183
     ("" (subtype-tcc) nil nil) proved
     ((/= const-decl "boolean" notequal nil) (T formal-type-decl nil walks nil)
      (edge? const-decl "bool" graphs nil)
      (verts_in? const-decl "bool" walks nil)
      (walk? const-decl "bool" walks nil)
      (walk_from? const-decl "bool" walks nil)
      (O const-decl "finite_seq" seq_def nil))
     340 340 nil nil))
   (walk_concat_edge 0
    (walk_concat_edge-1 nil 3262701974 3262702184
     ("" (skosimp*)
      (("" (expand "walk_from?")
        (("" (flatten)
          (("" (expand "o ")
            (("" (assert)
              (("" (auto-rewrite "fseq")
                (("" (expand "walk?")
                  (("" (assert)
                    (("" (flatten)
                      (("" (assert)
                        (("" (split +)
                          (("1" (expand "verts_in?")
                            (("1" (skosimp*)
                              (("1" (hide -4)
                                (("1" (ground)
                                  (("1" (inst?) nil nil)
                                   ("2" (hide -3) (("2" (inst?) nil nil)) nil))
                                  nil))
                                nil))
                              nil))
                            nil)
                           ("2" (skosimp*)
                            (("2" (case "n!1 < l(w1!1)")
                              (("1" (assert)
                                (("1" (lift-if)
                                  (("1" (inst?) (("1" (ground) nil nil)) nil))
                                  nil))
                                nil)
                               ("2" (assert)
                                (("2" (hide -5)
                                  (("2" (inst?) (("2" (assert) nil nil)) nil))
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((walk_from? const-decl "bool" walks nil)
      (O const-decl "finite_seq" seq_def nil)
      (verts_in? const-decl "bool" walks nil)
      (- const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (+ const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (numfield nonempty-type-eq-decl nil number_fields nil)
      (below type-eq-decl nil naturalnumbers nil)
      (prewalk type-eq-decl nil walks nil) (> const-decl "bool" reals nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (T formal-type-decl nil walks nil) (below type-eq-decl nil nat_types nil)
      (< const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (>= const-decl "bool" reals nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (boolean nonempty-type-decl nil booleans nil)
      (number nonempty-type-decl nil numbers nil)
      (walk? const-decl "bool" walks nil))
     1083 990 nil nil))
   (walk_concat_TCC1 0
    (walk_concat_TCC1-1 nil 3262701974 3262702184 ("" (subtype-tcc) nil nil)
     proved
     ((boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (pregraph type-eq-decl nil graphs nil) (graph type-eq-decl nil graphs nil
 )
      (number nonempty-type-decl nil numbers nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (real nonempty-type-from-decl nil reals nil)
      (> const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (below type-eq-decl nil nat_types nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (prewalk type-eq-decl nil walks nil)
      (verts_in? const-decl "bool" walks nil)
      (/= const-decl "boolean" notequal nil) (T formal-type-decl nil walks nil)
      (edge? const-decl "bool" graphs nil) (walk? const-decl "bool" walks nil)
      (walk_from? const-decl "bool" walks nil))
     487 450 nil nil))
   (walk_concat_TCC2 0
    (walk_concat_TCC2-1 nil 3262701974 3262702185
     ("" (skosimp*)
      (("" (expand "o ")
        (("" (expand "rev")
          (("" (expand "^") (("" (lift-if) (("" (ground) nil nil)) nil)) nil))
          nil))
        nil))
      nil)
     proved
     ((O const-decl "finite_seq" seq_def nil)
      (^ const-decl "fin_seq(IF PROJ_1(p) > PROJ_2(p) THEN 0
          ELSE PROJ_2(p) - PROJ_1(p) + 1
          ENDIF)" seq_def nil)
      (rev const-decl "finite_seq" seq_def nil))
     484 460 nil nil))
   (walk_concat 0
    (walk_concat-1 nil 3262701974 3262702187
     ("" (skosimp*)
      (("" (expand "walk_from?")
        (("" (flatten)
          (("" (assert)
            (("" (expand "o ")
              (("" (expand "rev")
                (("" (expand "^")
                  (("" (expand "walk?")
                    (("" (expand "fseq")
                      (("" (flatten)
                        (("" (split +)
                          (("1" (expand "verts_in?")
                            (("1" (skosimp*)
                              (("1" (ground)
                                (("1" (inst?) nil nil)
                                 ("2" (hide -2 -3 -4 -5 -6 -7 -9)
                                  (("2" (inst - "l(w1!1) + l(w2!1) - 2 - i!1")
                                    nil nil))
                                  nil))
                                nil))
                              nil))
                            nil)
                           ("2" (skosimp*)
                            (("2" (expand "edge?")
                              (("2" (case "n!1 < l(w1!1) - 1")
                                (("1" (assert)
                                  (("1" (inst?)
                                    (("1" (assert)
                                      (("1" (flatten)
                                        (("1"
                                          (assert)
                                          (("1"
                                            (case "n!1 = l(w1!1) - 1")
                                            (("1"
                                              (replace -1)
                                              (("1"
                                                (hide -1)
                                                (("1" (assert) nil nil))
                                                nil))
                                              nil)
                                             ("2"
                                              (lift-if)
                                              (("2" (assert) nil nil))
                                              nil))
                                            nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil)
                                 ("2" (assert)
                                  (("2" (hide -6)
                                    (("2" (inst - "l(w1!1) + l(w2!1) - 3 - n!1"
 )
                                      (("2" (assert)
                                        (("2"
                                          (flatten)
                                          (("2"
                                            (assert)
                                            (("2" (rewrite "dbl_comm") nil nil)
 )
                                            nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((walk_from? const-decl "bool" walks nil)
      (rev const-decl "finite_seq" seq_def nil)
      (walk? const-decl "bool" walks nil)
      (+ const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (- const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (numfield nonempty-type-eq-decl nil number_fields nil)
      (below type-eq-decl nil naturalnumbers nil)
      (prewalk type-eq-decl nil walks nil) (> const-decl "bool" reals nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (T formal-type-decl nil walks nil) (below type-eq-decl nil nat_types nil)
      (< const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (>= const-decl "bool" reals nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (boolean nonempty-type-decl nil booleans nil)
      (number nonempty-type-decl nil numbers nil)
      (verts_in? const-decl "bool" walks nil)
      (edge? const-decl "bool" graphs nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (dbl_comm formula-decl nil doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (^ const-decl "fin_seq(IF PROJ_1(p) > PROJ_2(p) THEN 0
          ELSE PROJ_2(p) - PROJ_1(p) + 1
          ENDIF)" seq_def nil)
      (O const-decl "finite_seq" seq_def nil))
     1707 1600 nil nil))
   (walk?_cut_TCC1 0
    (walk?_cut_TCC1-1 nil 3262701974 3262702187 ("" (subtype-tcc) nil nil)
     proved
     ((verts_in? const-decl "bool" walks nil)
      (/= const-decl "boolean" notequal nil) (T formal-type-decl nil walks nil)
      (edge? const-decl "bool" graphs nil) (walk? const-decl "bool" walks nil)
      (walk_from? const-decl "bool" walks nil))
     110 110 nil nil))
   (walk?_cut_TCC2 0
    (walk?_cut_TCC2-1 nil 3262701974 3262702187
     ("" (skosimp*)
      (("" (expand "o ")
        (("" (expand "^") (("" (lift-if) (("" (ground) nil nil)) nil)) nil))
        nil))
      nil)
     proved
     ((O const-decl "finite_seq" seq_def nil)
      (^ const-decl "fin_seq(IF PROJ_1(p) > PROJ_2(p) THEN 0
          ELSE PROJ_2(p) - PROJ_1(p) + 1
          ENDIF)" seq_def nil))
     626 600 nil nil))
   (walk?_cut 0
    (walk?_cut-1 nil 3262701974 3262702190
     ("" (skosimp*)
      (("" (expand "walk_from?")
        (("" (flatten)
          (("" (expand "walk?")
            (("" (expand "fseq")
              (("" (expand "o ")
                (("" (expand "^")
                  (("" (expand "emptyseq")
                    (("" (split 1)
                      (("1" (propax) nil nil)
                       ("2" (flatten)
                        (("2" (lift-if)
                          (("2" (split 1)
                            (("1" (flatten)
                              (("1" (expand "verts_in?")
                                (("1" (hide -7)
                                  (("1" (inst?) (("1" (ground) nil nil)) nil))
                                  nil))
                                nil))
                              nil)
                             ("2" (flatten) (("2" (assert) nil nil)) nil))
                            nil))
                          nil))
                        nil)
                       ("3" (flatten)
                        (("3" (expand "verts_in?")
                          (("3" (skosimp*)
                            (("3" (hide -6)
                              (("3" (split 1)
                                (("1" (flatten)
                                  (("1" (inst?) (("1" (assert) nil nil)) nil))
                                  nil)
                                 ("2" (flatten)
                                  (("2" (assert)
                                    (("2" (typepred "i!2")
                                      (("2" (lift-if)
                                        (("2"
                                          (ground)
                                          (("2" (inst?) nil nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil))
                        nil)
                       ("4" (skosimp*)
                        (("4" (lift-if)
                          (("4" (split 1)
                            (("1" (flatten)
                              (("1" (ground)
                                (("1" (inst?) (("1" (assert) nil nil)) nil)
                                 ("2" (lift-if)
                                  (("2" (split 2)
                                    (("1" (flatten)
                                      (("1" (inst?) (("1" (assert) nil nil))
                                        nil))
                                      nil)
                                     ("2" (flatten)
                                      (("2" (assert)
                                        (("2"
                                          (inst?)
                                          (("2"
                                            (assert)
                                            (("2"
                                              (case "n!1 = i!1")
                                              (("1"
                                                (replace -1)
                                                (("1"
                                                  (hide -1)
                                                  (("1"
                                                    (assert)
                                                    (("1"
                                                      (replace -4)
                                                      (("1"
                                                        (reveal -2)
                                                        (("1"
                                                          (inst -1 "j!1")
                                                          (("1"
                                                            (assert)
                                                            nil
                                                            nil))
                                                          nil))
                                                        nil))
                                                      nil))
                                                    nil))
                                                  nil))
                                                nil)
                                               ("2" (assert) nil nil))
                                              nil))
                                            nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil))
                                nil))
                              nil)
                             ("2" (flatten)
                              (("2" (ground)
                                (("2" (inst?) (("2" (assert) nil nil)) nil))
                                nil))
                              nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil))
          nil))
        nil))
      nil)
     proved
     ((walk_from? const-decl "bool" walks nil)
      (walk? const-decl "bool" walks nil)
      (^ const-decl "fin_seq(IF PROJ_1(p) > PROJ_2(p) THEN 0
          ELSE PROJ_2(p) - PROJ_1(p) + 1
          ENDIF)" seq_def nil)
      (+ const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (numfield nonempty-type-eq-decl nil number_fields nil)
      (below type-eq-decl nil naturalnumbers nil)
      (prewalk type-eq-decl nil walks nil) (> const-decl "bool" reals nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (T formal-type-decl nil walks nil) (below type-eq-decl nil nat_types nil)
      (< const-decl "bool" reals nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (>= const-decl "bool" reals nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (boolean nonempty-type-decl nil booleans nil)
      (number nonempty-type-decl nil numbers nil)
      (verts_in? const-decl "bool" walks nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (ps!1 skolem-const-decl "prewalk" walks nil)
      (i!1 skolem-const-decl "below(l(ps!1))" walks nil)
      (j!1 skolem-const-decl "below(l(ps!1))" walks nil)
      (i!2 skolem-const-decl "below(1 + i!1 +
         IF 1 + j!1 > l(ps!1) - 1 THEN 0 ELSE l(ps!1) - 1 - j!1 ENDIF)" walks
       nil)
      (- const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (IF const-decl "[boolean, T, T -> T]" if_def nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (emptyseq const-decl "fin_seq(0)" seq_def nil)
      (O const-decl "finite_seq" seq_def nil))
     2588 2420 nil nil))
   (walk_merge 0
    (walk_merge-1 nil 3262701974 3262702192
     ("" (skosimp*)
      (("" (case "l(p2!1) = 1")
        (("1" (inst 1 "rev(p1!1)")
          (("1" (expand "walk_from?")
            (("1" (flatten)
              (("1" (expand "rev")
                (("1" (assert)
                  (("1" (lemma "walk?_rev")
                    (("1" (inst?)
                      (("1" (assert)
                        (("1" (expand "rev") (("1" (propax) nil nil)) nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil)
           ("2" (expand "rev") (("2" (assert) nil nil)) nil))
          nil)
         ("2" (inst + "trunc1(p2!1) o rev(p1!1)")
          (("1" (expand "walk_from?")
            (("1" (expand "o ")
              (("1" (expand "trunc1")
                (("1" (expand "rev")
                  (("1" (expand "^")
                    (("1" (assert)
                      (("1" (flatten)
                        (("1" (assert)
                          (("1" (expand "walk?")
                            (("1" (split +)
                              (("1" (expand "verts_in?")
                                (("1" (skosimp*)
                                  (("1" (assert)
                                    (("1" (typepred "i!1")
                                      (("1" (hide -5 -9)
                                        (("1"
                                          (hide -2 -3 -5 -6)
                                          (("1"
                                            (ground)
                                            (("1"
                                              (hide -3)
                                              (("1" (inst?) nil nil))
                                              nil)
                                             ("2" (inst?) nil nil))
                                            nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil))
                                nil)
                               ("2" (skosimp*)
                                (("2" (expand "fseq")
                                  (("2" (lift-if)
                                    (("2" (ground)
                                      (("1" (expand "edge?")
                                        (("1"
                                          (inst -10 "n!1")
                                          (("1"
                                            (assert)
                                            (("1"
                                              (flatten)
                                              (("1"
                                                (assert)
                                                (("1"
                                                  (lift-if)
                                                  (("1" (assert) nil nil))
                                                  nil))
                                                nil))
                                              nil))
                                            nil))
                                          nil))
                                        nil)
                                       ("2" (expand "edge?")
                                        (("2"
                                          (inst
                                           -5
                                           "l(p1!1) + l(p2!1) - 3 - n!1")
                                          (("2"
                                            (assert)
                                            (("2"
                                              (flatten)
                                              (("2"
                                                (assert)
                                                (("2"
                                                  (rewrite "dbl_comm")
                                                  nil
                                                  nil))
                                                nil))
                                              nil))
                                            nil))
                                          nil))
                                        nil))
                                      nil))
                                    nil))
                                  nil))
                                nil))
                              nil))
                            nil))
                          nil))
                        nil))
                      nil))
                    nil))
                  nil))
                nil))
              nil))
            nil)
           ("2" (expand "o ")
            (("2" (expand "rev")
              (("2" (expand "trunc1")
                (("2" (expand "^")
                  (("2" (expand "emptyseq") (("2" (assert) nil nil)) nil)) nil)
 )
                nil))
              nil))
            nil)
           ("3" (assert) nil nil))
          nil))
        nil))
      nil)
     proved
     ((prewalk type-eq-decl nil walks nil) (> const-decl "bool" reals nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (real nonempty-type-from-decl nil reals nil)
      (real_pred const-decl "[number_field -> boolean]" reals nil)
      (number_field nonempty-type-from-decl nil number_fields nil)
      (number_field_pred const-decl "[number -> boolean]" number_fields nil)
      (finite_seq type-eq-decl nil seq_def nil)
      (T formal-type-decl nil walks nil) (below type-eq-decl nil nat_types nil)
      (nat nonempty-type-eq-decl nil naturalnumbers nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (boolean nonempty-type-decl nil booleans nil)
      (number nonempty-type-decl nil numbers nil)
      (walk_from? const-decl "bool" walks nil)
      (walk?_rev formula-decl nil walks nil) (graph type-eq-decl nil graphs nil
 )
      (IMPLIES const-decl "[bool, bool -> bool]" booleans nil)
      (pregraph type-eq-decl nil graphs nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil) (rev const-decl "finite_seq" seq_def nil)
      (p1!1 skolem-const-decl "prewalk" walks nil)
      (emptyseq const-decl "fin_seq(0)" seq_def nil)
      (^ const-decl "fin_seq(IF PROJ_1(p) > PROJ_2(p) THEN 0
          ELSE PROJ_2(p) - PROJ_1(p) + 1
          ENDIF)" seq_def nil)
      (walk? const-decl "bool" walks nil) (edge? const-decl "bool" graphs nil)
      (dbl_comm formula-decl nil doubletons nil)
      (verts_in? const-decl "bool" walks nil)
      (below type-eq-decl nil naturalnumbers nil)
      (+ const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (- const-decl "[numfield, numfield -> numfield]" number_fields nil)
      (numfield nonempty-type-eq-decl nil number_fields nil)
      (int nonempty-type-eq-decl nil integers nil)
      (integer_pred const-decl "[rational -> boolean]" integers nil)
      (rational nonempty-type-from-decl nil rationals nil)
      (rational_pred const-decl "[real -> boolean]" rationals nil)
      (< const-decl "bool" reals nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (O const-decl "finite_seq" seq_def nil)
      (Longprewalk type-eq-decl nil walks nil)
      (trunc1 const-decl "prewalk" walks nil) (>= const-decl "bool" reals nil)
      (p2!1 skolem-const-decl "prewalk" walks nil))
     2216 2000 nil nil)))
  
  
  $$$doubletons.pvs
  doubletons[T: TYPE]: THEORY
  
  BEGIN
  
     x,y,z: VAR T
  
     dbl(x,y): set[T] = {t: T | t = x OR t = y}
  
     S: VAR set[T]
  
     doubleton?(S): bool = (EXISTS x,y: x /= y AND S = dbl(x,y))
  
     doubleton: TYPE = {S | EXISTS x,y: x /= y AND S = dbl(x,y)}
  
     Dbl: TYPE = doubleton
  
     dbl_comm: LEMMA dbl(x,y) = dbl(y,x)
  
     D: VAR doubleton
  
     doubleton_irreflexive  : LEMMA NOT doubleton?(dbl(x,x))
  
     doubleton_nonempty     : LEMMA nonempty?(D)
  
     doubleton_rest_nonempty: LEMMA nonempty?(rest(D))
  
     dbl_choose             : LEMMA choose(dbl(x,y)) = x or choose(dbl(x,y)) = 
 y
  
     dbl_rest_choose        : LEMMA x /= y IMPLIES
                                    (choose(dbl(x,y)) /= choose(rest(dbl(x,y)))
 ) AND 
                                    (choose(rest(dbl(x,y))) = x 
                                        OR choose(rest(dbl(x,y))) = y)
  
     dbl_to_pair(D) : {(x,y) | D = dbl(x,y)}
  
     dbl_def        : LEMMA dbl(PROJ_1(dbl_to_pair(D)), PROJ_2(dbl_to_pair(D)))
  = D
  
     dbl_in         : LEMMA D = dbl(x,y) IMPLIES D(x) AND D(y)
     
     dbl_not_in     : LEMMA D = dbl(x,y) AND z /= x AND z /= y IMPLIES NOT D(z)
  
     dbl_to_pair_lem        : LEMMA x /= y IMPLIES
                                     dbl_to_pair(dbl(x,y)) = (x,y) OR
                                     dbl_to_pair(dbl(x,y)) = (y,x) 
  
     dbl_to_pair_inverse_l  : LEMMA dbl(dbl_to_pair(D)) = D
  
     dbl_proj               : LEMMA D(PROJ_1(dbl_to_pair(D))) AND
                                    D(PROJ_2(dbl_to_pair(D)))
     v: VAR T
     proj_dbl: LEMMA (PROJ_1(dbl_to_pair(D)) = v OR PROJ_2(dbl_to_pair(D)) = v)
                      IMPLIES D(v)
  
     dbl_eq: LEMMA dbl(x,y) = dbl(v,z) IMPLIES
                          (x = v AND y = z) OR (x = z AND y = v)
  
  
     finite_dbl: LEMMA is_finite(dbl[T](x,y))
  
     e: VAR doubleton
     finite_doubleton: LEMMA is_finite(e)
  
     card_dbl: LEMMA x /= y IMPLIES card(dbl(x,y)) = 2
  
     JUDGEMENT dbl(x,y) HAS_TYPE finite_set[T]
  
  
      AUTO_REWRITE+ doubleton_irreflexive   % NOT doubleton?(dbl(x,x))
      AUTO_REWRITE+ doubleton_nonempty      % nonempty?(D)  
      AUTO_REWRITE+ dbl_def                 % dbl(PROJ_1(dbl_to_pair(D)), 
  %                                         %     PROJ_2(dbl_to_pair(D))) = D
  
  %  ------------- The following two cause wierd PVS bug -------
  
  %   AUTO_REWRITE+ dbl_in                  % D = dbl(x,y) IMPLIES D(x) AND D(y
 )
  %   AUTO_REWRITE+ dbl_not_in              % D = dbl(x,y) AND z /= x AND z /= 
 y 
  
  
  %  ---------- BELOW OK --------------
                                           %     IMPLIES NOT D(z)
     AUTO_REWRITE+ dbl_to_pair_inverse_l   % dbl(dbl_to_pair(D)) = D
     AUTO_REWRITE+ dbl_proj                
  
     AUTO_REWRITE+ finite_dbl
     AUTO_REWRITE+ finite_doubleton
  
  %(stop-rewrite "finite_dbl")
  %(stop-rewrite "dbl_proj")
  %(stop-rewrite "dbl_to_pair_inverse_l")
  %(stop-rewrite "dbl_not_in")
  %(stop-rewrite "dbl_in")
  %(stop-rewrite "dbl_def")
  %(stop-rewrite "doubleton_nonempty")
  %(stop-rewrite "doubleton_irreflexive")
  
  
  END doubletons
  
  $$$doubletons.prf
  (doubletons
   (dbl_comm 0
    (dbl_comm-1 nil 3262619824 3262620019
     ("" (skosimp*)
      (("" (expand "dbl")
        (("" (apply-extensionality 1 :hide? t)
          (("" (iff) (("" (ground) nil))))))))
      nil)
     proved
     ((dbl const-decl "set[T]" doubletons nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (OR const-decl "[bool, bool -> bool]" booleans nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (boolean nonempty-type-decl nil booleans nil)
      (T formal-type-decl nil doubletons nil))
     67 70 nil nil))
   (doubleton_irreflexive 0
    (doubleton_irreflexive-1 nil 3262619824 3262620019
     ("" (skosimp*)
      (("" (expand "doubleton?")
        (("" (skosimp*)
          ((""
            (case "(FORALL (z:T): member(z,dbl(x!1, x!1)) = member(z,dbl(x!2, y
 !1)))")
            (("1" (inst-cp -1 "x!2")
              (("1" (inst -1 "y!1")
                (("1" (expand "member")
                  (("1" (expand "dbl")
                    (("1" (hide -3) (("1" (ground) nil)))))))))))
             ("2" (skosimp*)
              (("2" (expand "member")
                (("2" (replace -1) (("2" (propax) nil))))))))))))))
      nil)
     proved
     ((doubleton? const-decl "bool" doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (member const-decl "bool" sets nil) (set type-eq-decl nil sets nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (T formal-type-decl nil doubletons nil))
     138 90 nil nil))
   (doubleton_nonempty 0
    (doubleton_nonempty-1 nil 3262619824 3262620019
     ("" (auto-rewrite-defs :always? t)
      (("" (assert)
        (("" (skolem-typepred)
          (("" (skolem-typepred)
            (("" (flatten)
              (("" (replace*)
                (("" (assert)
                  (("" (inst? :if-match t :polarity? nil)
                    (("" (flatten) (("" (propax) nil))))))))))))))))))
      nil)
     proved
     ((nonempty? const-decl "bool" sets nil) (empty? const-decl "bool" sets nil
 )
      (member const-decl "bool" sets nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (set type-eq-decl nil sets nil) (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (T formal-type-decl nil doubletons nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil))
     115 70 nil nil))
   (doubleton_rest_nonempty 0
    (doubleton_rest_nonempty-1 nil 3262619824 3262620019
     ("" (skolem-typepred)
      (("" (skosimp*)
        (("" (expand "rest")
          (("" (rewrite "doubleton_nonempty")
            (("" (expand "nonempty?")
              (("" (assert)
                (("" (prop)
                  (("" (expand "empty?")
                    (("" (expand "remove")
                      (("" (expand "member")
                        (("" (inst-cp - "x!1")
                          (("" (inst - "y!1")
                            (("" (replace -1)
                              (("" (expand "dbl")
                                (("" (assert) nil))))))))))))))))))))))))))))
      nil)
     proved
     ((doubleton_nonempty formula-decl nil doubletons nil)
      (empty? const-decl "bool" sets nil) (member const-decl "bool" sets nil)
      (remove const-decl "set" sets nil) (nonempty? const-decl "bool" sets nil)
      (rest const-decl "set" sets nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (set type-eq-decl nil sets nil) (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (T formal-type-decl nil doubletons nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil))
     120 120 nil nil))
   (dbl_choose_TCC1 0
    (dbl_choose_TCC1-1 nil 3262619824 nil ("" (subtype-tcc) nil nil)
     proved-complete
     ((nonempty? const-decl "bool" sets nil) (empty? const-decl "bool" sets nil
 )
      (member const-decl "bool" sets nil)
      (dbl const-decl "set[T]" doubletons nil)
      (T formal-type-decl nil doubletons nil))
     nil nil nil nil))
   (dbl_choose 0
    (dbl_choose-1 nil 3262619824 3262620019
     ("" (skosimp*)
      (("" (expand "dbl")
        (("" (expand "choose")
          (("" (assert)
            (("" (lemma "epsilon_ax[T]")
              (("1" (inst?)
                (("1" (assert) (("1" (inst + "x!1") (("1" (assert) nil)))))))
               ("2" (inst + "x!1") nil))))))))))
      nil)
     proved
     ((dbl const-decl "set[T]" doubletons nil)
      (pred type-eq-decl nil defined_types nil)
      (OR const-decl "[bool, bool -> bool]" booleans nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (TRUE const-decl "bool" booleans nil)
      (epsilon_ax formula-decl nil epsilons nil)
      (T formal-type-decl nil doubletons nil)
      (choose const-decl "(p)" sets nil))
     104 70 nil nil))
   (dbl_rest_choose_TCC1 0
    (dbl_rest_choose_TCC1-1 nil 3262619824 nil
     ("" (skosimp*)
      (("" (use "doubleton_rest_nonempty") (("" (inst?) (("" (assert) nil))))))
      nil)
     proved-incomplete
     ((T formal-type-decl nil doubletons nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (doubleton_rest_nonempty formula-decl nil doubletons nil))
     nil nil nil nil))
   (dbl_rest_choose 0
    (dbl_rest_choose-1 nil 3262619824 3262620020
     ("" (skosimp*)
      (("" (expand "rest")
        (("" (lemma "doubleton_nonempty")
          (("" (inst - "dbl(x!1, y!1)")
            (("1" (expand "nonempty?")
              (("1" (assert)
                (("1" (use "dbl_choose")
                  (("1" (ground)
                    (("1" (replace -2)
                      (("1" (expand "remove")
                        (("1" (expand "member") (("1" (assert) nil)))))))
                     ("2" (replace -1)
                      (("2" (expand "remove")
                        (("2" (expand "member")
                          (("2" (assert)
                            (("2" (expand "dbl")
                              (("2" (hide -1 3)
                                (("2" (expand "choose")
                                  (("2" (lemma "epsilon_ax[T]")
                                    (("1" (inst?)
                                      (("1" (assert)
                                        (("1"
                                          (inst + "y!1")
                                          (("1" (assert) nil)))))))
                                     ("2" (inst + "y!1") nil)))))))))))))))))
                     ("3" (replace -2)
                      (("3" (expand "remove") (("3" (assert) nil)))))
                     ("4" (replace -1)
                      (("4" (expand "remove")
                        (("4" (expand "member")
                          (("4" (expand "dbl")
                            (("4" (assert)
                              (("4" (hide -1)
                                (("4" (hide 3)
                                  (("4" (expand "choose")
                                    (("4" (lemma "epsilon_ax[T]")
                                      (("1" (inst?)
                                        (("1"
                                          (assert)
                                          (("1"
                                            (inst + "x!1")
                                            (("1" (assert) nil)))))))
                                       ("2" (inst + "x!1")
                                        nil)))))))))))))))))))))))))))
             ("2" (hide 3) (("2" (inst?) (("2" (assert) nil))))))))))))
      nil)
     proved
     ((rest const-decl "set" sets nil)
      (y!1 skolem-const-decl "T" doubletons nil)
      (x!1 skolem-const-decl "T" doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (set type-eq-decl nil sets nil) (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (T formal-type-decl nil doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (remove const-decl "set" sets nil) (member const-decl "bool" sets nil)
      (epsilon_ax formula-decl nil epsilons nil)
      (TRUE const-decl "bool" booleans nil)
      (pred type-eq-decl nil defined_types nil)
      (OR const-decl "[bool, bool -> bool]" booleans nil)
      (choose const-decl "(p)" sets nil)
      (dbl_choose formula-decl nil doubletons nil)
      (nonempty? const-decl "bool" sets nil)
      (doubleton_nonempty formula-decl nil doubletons nil))
     350 300 nil nil))
   (dbl_to_pair_TCC1 0
    (dbl_to_pair_TCC1-1 nil 3262619824 nil
     ("" (inst 1 " (LAMBDA D: (choose(D),choose(rest(D))))")
      (("1" (skosimp*)
        (("1" (typepred "D!1")
          (("1" (skosimp*)
            (("1" (replace -1)
              (("1" (lemma "dbl_choose")
                (("1" (inst?)
                  (("1" (lemma "dbl_rest_choose")
                    (("1" (inst?)
                      (("1" (assert)
                        (("1" (flatten)
                          (("1" (assert)
                            (("1" (prop)
                              (("1" (replace*) nil)
                               ("2" (replace*) (("2" (rewrite "dbl_comm") nil))
 )
                               ("3" (replace*) nil)
                               ("4" (replace*) nil)))))))))))))))))))))))))
       ("2" (lemma "doubleton_rest_nonempty") (("2" (propax) nil)))
       ("3" (lemma "doubleton_nonempty") (("3" (propax) nil))))
      nil)
     proved-incomplete
     ((T formal-type-decl nil doubletons nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (/= const-decl "boolean" notequal nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (nonempty? const-decl "bool" sets nil) (choose const-decl "(p)" sets nil)
      (rest const-decl "set" sets nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (dbl_comm formula-decl nil doubletons nil)
      (dbl_rest_choose formula-decl nil doubletons nil)
      (dbl_choose formula-decl nil doubletons nil)
      (doubleton_rest_nonempty formula-decl nil doubletons nil)
      (doubleton_nonempty formula-decl nil doubletons nil))
     nil nil nil nil))
   (dbl_def 0
    (dbl_def-1 nil 3262619824 3262620020 ("" (skosimp*) (("" (assert) nil)) nil
 )
     proved nil 16 20 nil nil))
   (dbl_in 0
    (dbl_in-1 nil 3262619824 3262620020
     ("" (skosimp*) (("" (replace -1) (("" (hide -1) (("" (grind) nil)))))) nil
 )
     proved ((dbl const-decl "set[T]" doubletons nil)) 38 40 nil nil))
   (dbl_not_in 0
    (dbl_not_in-1 nil 3262619824 3262620020
     ("" (skosimp*) (("" (replace -1) (("" (hide -1) (("" (grind) nil)))))) nil
 )
     proved ((dbl const-decl "set[T]" doubletons nil)) 43 50 nil nil))
   (dbl_to_pair_lem_TCC1 0
    (dbl_to_pair_lem_TCC1-1 nil 3262619824 nil ("" (subtype-tcc) nil nil)
     proved-complete
     ((/= const-decl "boolean" notequal nil)
      (T formal-type-decl nil doubletons nil))
     nil nil nil nil))
   (dbl_to_pair_lem 0
    (dbl_to_pair_lem-1 nil 3262619824 3262620020
     ("" (skosimp*)
      (("" (typepred "dbl_to_pair(dbl(x!1, y!1))")
        (("1"
          (case "dbl(x!1, y!1)(x!1)
            =
          dbl(PROJ_1(dbl_to_pair(dbl(x!1, y!1))),
              PROJ_2(dbl_to_pair(dbl(x!1, y!1))))(x!1)")
          (("1"
            (case "dbl(x!1, y!1)(y!1)
            =
          dbl(PROJ_1(dbl_to_pair(dbl(x!1, y!1))),
              PROJ_2(dbl_to_pair(dbl(x!1, y!1))))(y!1)")
            (("1" (hide -3)
              (("1" (expand "dbl")
                (("1" (apply-extensionality 2 :hide? t)
                  (("1" (apply-extensionality 3 :hide? t)
                    (("1" (expand "dbl") (("1" (inst?) (("1" (assert) nil))))))
 )
                   ("2" (apply-extensionality 3 :hide? t)
                    (("2" (expand "dbl") (("2" (inst?) (("2" (assert) nil))))))
 )
                   ("3" (expand "dbl")
                    (("3" (inst?) (("3" (assert) nil)))))))))))
             ("2" (assert) nil)))
           ("2" (assert) nil)))
         ("2" (inst?) (("2" (assert) nil))))))
      nil)
     proved
     ((dbl_to_pair const-decl "{x, y | D = dbl(x, y)}" doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (set type-eq-decl nil sets nil) (T formal-type-decl nil doubletons nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (y!1 skolem-const-decl "T" doubletons nil)
      (x!1 skolem-const-decl "T" doubletons nil)
      (OR const-decl "[bool, bool -> bool]" booleans nil))
     326 300 nil nil))
   (dbl_to_pair_inverse_l 0
    (dbl_to_pair_inverse_l-1 nil 3262619824 3262620020
     ("" (skolem-typepred)
      (("" (skosimp*)
        (("" (replace -1)
          (("" (use "dbl_to_pair_lem")
            (("" (assert)
              (("" (ground)
                (("1" (replace -1) (("1" (propax) nil)))
                 ("2" (replace -1) (("2" (rewrite "dbl_comm") nil))))))))))))))
      nil)
     proved
     ((dbl_to_pair_lem formula-decl nil doubletons nil)
      (dbl_comm formula-decl nil doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (set type-eq-decl nil sets nil) (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (T formal-type-decl nil doubletons nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil))
     108 90 nil nil))
   (dbl_proj 0
    (dbl_proj-1 nil 3262619824 3262620020
     ("" (skosimp*)
      (("" (lemma "dbl_to_pair_inverse_l")
        (("" (inst?)
          (("" (expand "dbl") (("" (replace -1 + rl) (("" (assert) nil)))))))))
 )
      nil)
     proved
     ((dbl_to_pair_inverse_l formula-decl nil doubletons nil)
      (doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (set type-eq-decl nil sets nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (T formal-type-decl nil doubletons nil))
     49 40 nil nil))
   (proj_dbl 0
    (proj_dbl-1 nil 3262619824 3262620020
     ("" (skosimp*)
      (("" (typepred "D!1")
        (("" (skosimp*)
          (("" (replace -1)
            (("" (hide -1)
              (("" (lemma "dbl_to_pair_lem")
                (("" (inst?) (("" (assert) (("" (grind) nil))))))))))))))))
      nil)
     proved
     ((doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (set type-eq-decl nil sets nil) (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (T formal-type-decl nil doubletons nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (dbl_to_pair_lem formula-decl nil doubletons nil))
     104 80 nil nil))
   (dbl_eq 0
    (dbl_eq-1 nil 3262619824 3262620021
     ("" (skosimp*)
      (("" (case "dbl(x!1, y!1)(x!1) = dbl(v!1, z!1)(x!1)")
        (("1" (case "dbl(x!1, y!1)(y!1) = dbl(v!1, z!1)(y!1)")
          (("1" (case "dbl(x!1, y!1)(z!1) = dbl(v!1, z!1)(z!1)")
            (("1" (case "dbl(x!1, y!1)(v!1) = dbl(v!1, z!1)(v!1)")
              (("1" (expand "dbl") (("1" (ground) nil))) ("2" (assert) nil)))
             ("2" (assert) nil)))
           ("2" (assert) nil)))
         ("2" (assert) nil))))
      nil)
     proved
     ((dbl const-decl "set[T]" doubletons nil) (set type-eq-decl nil sets nil)
      (T formal-type-decl nil doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil))
     133 130 nil nil))
   (finite_dbl 0
    (finite_dbl-1 nil 3262619839 3262620021
     ("" (skosimp*)
      (("" (case-replace "dbl[T](x!1, y!1) = add(x!1,singleton(y!1))")
        (("1" (hide -1) (("1" (rewrite "finite_add") nil nil)) nil)
         ("2" (hide 2)
          (("2" (apply-extensionality :hide? t) (("2" (grind) nil nil)) nil))
          nil))
        nil))
      nil)
     proved
     ((T formal-type-decl nil doubletons nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (nonempty? const-decl "bool" sets nil)
      (add const-decl "(nonempty?)" sets nil)
      (singleton? const-decl "bool" sets nil)
      (singleton const-decl "(singleton?)" sets nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (is_finite const-decl "bool" finite_sets nil)
      (finite_add formula-decl nil finite_sets nil)
      (member const-decl "bool" sets nil))
     175 140 t nil))
   (finite_doubleton 0
    (finite_doubleton-1 nil 3262619876 3262620021
     ("" (skosimp*)
      (("" (typepred "e!1")
        (("" (skosimp*)
          (("" (replace -1)
            (("" (hide -1) (("" (rewrite "finite_dbl") nil nil)) nil)) nil))
          nil))
        nil))
      nil)
     proved
     ((doubleton type-eq-decl nil doubletons nil)
      (dbl const-decl "set[T]" doubletons nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (set type-eq-decl nil sets nil) (/= const-decl "boolean" notequal nil)
      (AND const-decl "[bool, bool -> bool]" booleans nil)
      (T formal-type-decl nil doubletons nil)
      (NOT const-decl "[bool -> bool]" booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (boolean nonempty-type-decl nil booleans nil)
      (finite_dbl formula-decl nil doubletons nil))
     44 40 nil nil))
   (card_dbl_TCC1 0
    (card_dbl_TCC1-1 nil 3262619970 3262620011
     ("" (skosimp*) (("" (lemma "finite_dbl") (("" (inst?) nil nil)) nil)) nil)
     proved
     ((finite_dbl formula-decl nil doubletons nil)
      (T formal-type-decl nil doubletons nil))
     12208 1430 t shostak))
   (card_dbl 0
    (card_dbl-1 nil 3262619942 3262620021
     ("" (skosimp*)
      (("" (case-replace "dbl(x!1, y!1) = add(x!1,singleton(y!1))")
        (("1" (hide -1)
          (("1" (rewrite "card_add")
            (("1" (rewrite "card_singleton")
              (("1" (expand "singleton") (("1" (assert) nil nil)) nil)) nil))
            nil))
          nil)
         ("2" (hide 3)
          (("2" (apply-extensionality 1 :hide? t) (("2" (grind) nil nil)) nil))
          nil))
        nil))
      nil)
     proved
     ((T formal-type-decl nil doubletons nil)
      (boolean nonempty-type-decl nil booleans nil)
      (bool nonempty-type-eq-decl nil booleans nil)
      (set type-eq-decl nil sets nil)
      (= const-decl "[T, T -> boolean]" equalities nil)
      (dbl const-decl "set[T]" doubletons nil)
      (nonempty? const-decl "bool" sets nil)
      (add const-decl "(nonempty?)" sets nil)
      (singleton? const-decl "bool" sets nil)
      (singleton const-decl "(singleton?)" sets nil)
      (finite_set type-eq-decl nil finite_sets nil)
      (is_finite const-decl "bool" finite_sets nil)
      (card_add formula-decl nil finite_sets nil)
      (card_singleton formula-decl nil finite_sets nil)
      (member const-decl "bool" sets nil))
     502 460 nil nil))
   (dbl_TCC1 0
    (dbl_TCC1-1 nil 3262619970 3262620055
     ("" (skosimp*) (("" (rewrite "finite_dbl") nil nil)) nil) proved
     ((finite_dbl formula-decl nil doubletons nil)
      (T formal-type-decl nil doubletons nil))
     11617 970 t shostak)))
  
  
  $$$graphs.pvs
  graphs[T: TYPE]: THEORY
  %----------------------------------------------------------------------------
 ---
  %
  % Defines:
  %
  %      Graph[T] -- graph over domain T
  %      vert(G)  -- vertices of graph G
  %      edges(G) -- set of edges in a graph G
  %
  %  Authors:
  %
  %      Ricky W. Butler   NASA Langley
  %      Jon Sjogren       AFOSR
  %
  %  Version 1.0           Last modified 12/20/96
  %
  %  Maintained by:
  %
  %     Rick Butler        NASA Langley Research Center   
  %                        R.W.Butler@larc.nasa.gov
  %
  %  NOTE:
  %
  %----------------------------------------------------------------------------
 ---
  BEGIN
  
  
    IMPORTING %finite_sets@finite_sets[T], 
              doubletons[T] 
              %finite_sets@finite_sets[doubleton[T]]
  
    R: VAR PRED[[T, T]]
    x,y,v: VAR T
  
    pregraph: TYPE = [# vert : finite_set[T],
                        edges: finite_set[doubleton[T]] #]
  
    graph: TYPE = {g: pregraph | (FORALL (e: doubleton[T]): edges(g)(e) IMPLIES
                                       (FORALL (x: T): e(x) IMPLIES vert(g)(x))
 )}
   
    e: VAR doubleton[T]
    G: var graph
   
    edg(x,(y:{y:T | y /= x})): doubleton[T] = dbl[T](x,y)
  
    edge?(G)(x,y): bool = x /= y AND edges(G)(dbl[T](x,y))
  
    edge?_comm : LEMMA edge?(G)(y, x) IMPLIES edge?(G)(x, y)
  
    edges_vert      : LEMMA e(x) AND edges(G)(e) IMPLIES
                               (EXISTS y: x /= y AND vert(G)(y) AND e(y))
  
  
    other_vert      : LEMMA e(v) AND edges(G)(e)
                           IMPLIES (EXISTS (u: T): u /= v AND vert(G)(u) 
                                                   AND e = dbl[T](u, v))
  
    edge_has_2_verts: LEMMA x /= v AND e(x) AND e(v)
                                     IMPLIES e = dbl(x,v)
  
     dbl_uneq: LEMMA e=dbl[T](x,y) IMPLIES x /=y
  
     edges_symm:  LEMMA edges(G)(e) AND e=(dbl[T](x,y)) IMPLIES 
  		edges(G)(dbl[T](y,x))
  
  % -------------- size of graphs --------------------
  
    size(G): nat = card[T](vert(G))
  
    empty?(G): bool = empty?(vert(G))
  
    singleton?(G): bool = (size(G) = 1)
  
    isolated?(G): bool = empty?(edges(G))
  
    empty?_rew          : LEMMA empty?(G) = (card(vert(G)) = 0)
  
    edges_of_empty      : LEMMA empty?(G) 
                                   IMPLIES edges(G) = emptyset[doubleton[T]]
  
    singleton_edges     : LEMMA singleton?(G) IMPLIES  empty?(edges(G))
  
    edge_in_card_gt_1   : LEMMA edges(G)(e) IMPLIES card(vert(G)) > 1
  
    not_singleton_2_vert: LEMMA NOT empty?(G) AND NOT singleton?(G) 
                                  IMPLIES (EXISTS (x,y: T): x /= y AND
                                       vert(G)(x) AND vert(G)(y))
  
    infgraph: TYPE = [# vert : set[T],
                        edges: set[doubleton[T]] #]
  
  
    is_graph(g: infgraph): bool = is_finite[T](vert(g))
                                  AND is_finite[doubleton[T]](edges(g))
                                  AND (FORALL (e: doubleton[T]): edges(g)(e) 
                                       IMPLIES (FORALL x: e(x) IMPLIES vert(g)(
 x)))
  
    singleton_graph(v): graph = (# vert := singleton[T](v), 
                                         edges := emptyset[doubleton[T]] #)
    
    is_sing:  LEMMA singleton?(singleton_graph(x))
  
    Graph: TYPE = {g: graph | nonempty?(vert(g))}
  
  %  finite_dbl: LEMMA is_finite(dbl[T](x,y))
  
  %  finite_doubleton: LEMMA is_finite(e)
  
  %  card_dbl: LEMMA x /= y IMPLIES card(dbl(x,y)) = 2
  
  %  JUDGEMENT dbl(x,y) HAS_TYPE finite_set[T]
  
  END graphs
  
  
  $$$graphs.prf
  (|graphs|
   (|edg_TCC1| "" (SKOSIMP*) (("" (INST?) (("" (ASSERT) NIL NIL)) NIL))
    NIL)
   (|edge?_TCC1| "" (SUBTYPE-TCC) NIL NIL)
   (|edge?_comm| "" (SKOSIMP*)
    (("" (EXPAND "edge?")
      (("" (REWRITE "dbl_comm")
        (("" (FLATTEN) (("" (ASSERT) NIL NIL)) NIL)) NIL))
      NIL))
    NIL)
   (|edges_vert| "" (SKOSIMP*)
    (("" (TYPEPRED "e!1")
      (("" (SKOSIMP*)
        (("" (REPLACE -1)
          (("" (HIDE -1)
            (("" (LEMMA "dbl_to_pair_lem")
              (("" (INST?)
                (("" (ASSERT)
                  (("" (PROP)
                    (("1" (HIDE -1)
                      (("1" (EXPAND "dbl" -1)
                        (("1" (PROP)
                          (("1" (INST 2 "y!1")
                            (("1" (ASSERT)
                              (("1" (TYPEPRED "G!1")
                                (("1"
                                  (INST?)
                                  (("1"
                                    (ASSERT)
                                    (("1"
                                      (INST -1 "y!1")
                                      (("1"
                                        (EXPAND "dbl")
                                        (("1" (PROPAX) NIL NIL))
                                        NIL))
                                      NIL))
                                    NIL)
                                   ("2"
                                    (INST?)
                                    (("2" (ASSERT) NIL NIL))
                                    NIL))
                                  NIL))
                                NIL))
                              NIL))
                            NIL)
                           ("2" (REPLACE -1)
                            (("2" (HIDE -1)
                              (("2" (INST?)
                                (("2"
                                  (TYPEPRED "G!1")
                                  (("2"
                                    (INST?)
                                    (("1"
                                      (ASSERT)
                                      (("1"
                                        (INST?)
                                        (("1"
                                          (EXPAND "dbl")
                                          (("1" (PROPAX) NIL NIL))
                                          NIL))
                                        NIL))
                                      NIL)
                                     ("2"
                                      (INST?)
                                      (("2"
                                        (ASSERT)
                                        (("2"
                                          (HIDE -1 3)
                                          (("2"
                                            (APPLY-EXTENSIONALITY
                                             :HIDE?
                                             T)
                                            (("2" (GRIND) NIL NIL))
                                            NIL))
                                          NIL))
                                        NIL))
                                      NIL))
                                    NIL))
                                  NIL))
                                NIL))
                              NIL))
                            NIL))
                          NIL))
                        NIL))
                      NIL)
                     ("2" (HIDE -1)
                      (("2" (EXPAND "dbl" -1)
                        (("2" (SPLIT)
                          (("1" (REPLACE -1)
                            (("1" (HIDE -1)
                              (("1" (INST 2 "y!1")
                                (("1"
                                  (ASSERT)
                                  (("1"
                                    (TYPEPRED "G!1")
                                    (("1"
                                      (INST?)
                                      (("1"
                                        (ASSERT)
                                        (("1"
                                          (INST?)
                                          (("1"
                                            (EXPAND "dbl")
                                            (("1" (PROPAX) NIL NIL))
                                            NIL))
                                          NIL))
                                        NIL)
                                       ("2"
                                        (INST?)
                                        (("2" (ASSERT) NIL NIL))
                                        NIL))
                                      NIL))
                                    NIL))
                                  NIL))
                                NIL))
                              NIL))
                            NIL)
                           ("2" (REPLACE -1)
                            (("2" (HIDE -1)
                              (("2" (INST 2 "x!2")
                                (("2"
                                  (ASSERT)
                                  (("2"
                                    (TYPEPRED "G!1")
                                    (("2"
                                      (INST?)
                                      (("1"
                                        (ASSERT)
                                        (("1"
                                          (INST?)
                                          (("1"
                                            (EXPAND "dbl")
                                            (("1" (PROPAX) NIL NIL))
                                            NIL))
                                          NIL))
                                        NIL)
                                       ("2"
                                        (INST?)
                                        (("2" (ASSERT) NIL NIL))
                                        NIL))
                                      NIL))
                                    NIL))
                                  NIL))
                                NIL))
                              NIL))
                            NIL))
                          NIL))
                        NIL))
                      NIL))
                    NIL))
                  NIL))
                NIL))
              NIL))
            NIL))
          NIL))
        NIL))
      NIL))
    NIL)
   (|other_vert| "" (SKOSIMP*)
    (("" (TYPEPRED "e!1")
      (("" (SKOSIMP*)
        (("" (REPLACE -1)
          (("" (HIDE -1)
            (("" (EXPAND "dbl" -1)
              (("" (PROP)
                (("1" (REPLACE -1)
                  (("1" (HIDE -1)
                    (("1" (INST 2 "y!1")
                      (("1" (TYPEPRED "G!1")
                        (("1" (INST?)
                          (("1" (ASSERT)
                            (("1" (INST -1 "y!1")
                              (("1" (EXPAND "dbl" -1)
                                (("1"
                                  (ASSERT)
                                  (("1"
                                    (HIDE -1 -2)
                                    (("1"
                                      (APPLY-EXTENSIONALITY 2 :HIDE? T)
                                      (("1" (GRIND) NIL NIL))
                                      NIL))
                                    NIL))
                                  NIL))
                                NIL))
                              NIL))
                            NIL)
                           ("2" (INST?)
                            (("2" (ASSERT)
                              (("2" (APPLY-EXTENSIONALITY 1 :HIDE? T)
                                (("2" (GRIND) NIL NIL)) NIL))
                              NIL))
                            NIL))
                          NIL))
                        NIL))
                      NIL))
                    NIL))
                  NIL)
                 ("2" (REPLACE -1)
                  (("2" (HIDE -1)
                    (("2" (INST 2 "x!1")
                      (("2" (TYPEPRED "G!1")
                        (("2" (INST?)
                          (("1" (ASSERT)
                            (("1" (INST -1 "x!1")
                              (("1" (ASSERT)
                                (("1"
                                  (EXPAND "dbl")
                                  (("1" (PROPAX) NIL NIL))
                                  NIL))
                                NIL))
                              NIL))
                            NIL)
                           ("2" (INST?) (("2" (ASSERT) NIL NIL)) NIL))
                          NIL))
                        NIL))
                      NIL))
                    NIL))
                  NIL))
                NIL))
              NIL))
            NIL))
          NIL))
        NIL))
      NIL))
    NIL)
   (|edge_has_2_verts| "" (SKOSIMP*)
    (("" (TYPEPRED "e!1")
      (("" (SKOSIMP*)
        (("" (REPLACE -1)
          (("" (HIDE -1)
            (("" (APPLY-EXTENSIONALITY 3 :HIDE? T)
              (("" (EXPAND "dbl")
                (("" (IFF) (("" (GROUND) NIL NIL)) NIL)) NIL))
              NIL))
            NIL))
          NIL))
        NIL))
      NIL))
    NIL)
   (|dbl_uneq| "" (SKOSIMP*)
    (("" (TYPEPRED "e!1")
      (("" (SKOSIMP*)
        (("" (LEMMA "dbl_eq")
          (("" (INST -1 "x!2" "x!1" "y!1" "y!2")
            (("" (REPLACE -3 -2 LR)
              (("" (BDDSIMP)
                (("1" (REPLACE -2 -5 LR)
                  (("1" (REPLACE -3 -5 LR) (("1" (PROPAX) NIL NIL)) NIL))
                  NIL)
                 ("2" (REPLACE -2 -5 LR)
                  (("2" (REPLACE -3 -5 LR) (("2" (ASSERT) NIL NIL)) NIL))
                  NIL))
                NIL))
              NIL))
            NIL))
          NIL))
        NIL))
      NIL))
    NIL)
   (|edges_symm_TCC1| "" (SKOSIMP*)
    (("" (TYPEPRED "e!1")
      (("" (SKOSIMP*)
        (("" (INST 2 "x!2" "y!2")
          (("" (REPLACE -3 -1)
            (("" (LEMMA "dbl_comm")
              (("" (INST -1 "y!1" "x!1")
                (("" (REPLACE -1 2 LR) (("" (ASSERT) NIL NIL)) NIL))
                NIL))
              NIL))
            NIL))
          NIL))
        NIL))
      NIL))
    NIL)
   (|edges_symm| "" (SKOSIMP*)
    (("" (LEMMA "dbl_comm")
      (("" (INST? -1)
        (("" (REPLACE -3 -2 LR)
          (("" (REPLACE -1 -2 LR) (("" (PROPAX) NIL NIL)) NIL)) NIL))
        NIL))
      NIL))
    NIL)
   (|empty?_rew| "" (SKOSIMP*)
    (("" (LEMMA " card_empty?[T]")
      (("" (INST?)
        (("" (EXPAND "empty?" 1)
          (("" (REPLACE -1) (("" (PROPAX) NIL NIL)) NIL)) NIL))
        NIL))
      NIL))
    NIL)
   (|edges_of_empty| "" (SKOSIMP*)
    (("" (EXPAND "empty?")
      (("" (APPLY-EXTENSIONALITY 1 :HIDE? T)
        (("" (EXPAND "emptyset")
          (("" (EXPAND "empty?")
            (("" (TYPEPRED "x!1")
              (("" (SKOSIMP*)
                (("" (INST -3 "y!1")
                  (("" (EXPAND "member")
                    (("" (TYPEPRED "G!1")
                      (("" (INST?)
                        (("" (ASSERT)
                          (("" (INST -1 "y!1")
                            (("" (REPLACE -2)
                              (("" (EXPAND "dbl") (("" (PROPAX) NIL NIL))
                                NIL))
                              NIL))
                            NIL))
                          NIL))
                        NIL))
                      NIL))
                    NIL))
                  NIL))
                NIL))
              NIL))
            NIL))
          NIL))
        NIL))
      NIL))
    NIL)
   (|singleton_edges| "" (SKOSIMP*)
    (("" (EXPAND "singleton?")
      (("" (EXPAND "size")
        (("" (LEMMA "card_one[T]")
          (("" (INST?)
            (("" (ASSERT)
              (("" (HIDE -2)
                (("" (SKOSIMP*)
                  (("" (EXPAND "empty?")
                    (("" (SKOSIMP*)
                      (("" (EXPAND "member")
                        (("" (TYPEPRED "x!2")
                          (("" (SKOSIMP*)
                            (("" (REPLACE -1)
                              (("" (HIDE -1)
                                ((""
                                  (TYPEPRED "G!1")
                                  ((""
                                    (INST?)
                                    (("1"
                                      (ASSERT)
                                      (("1"
                                        (INST-CP -1 "x!3")
                                        (("1"
                                          (INST -1 "y!1")
                                          (("1"
                                            (EXPAND "dbl")
                                            (("1"
                                              (HIDE -4)
                                              (("1"
                                                (REPLACE -3)
                                                (("1"
                                                  (HIDE -3)
                                                  (("1"
                                                    (EXPAND "singleton")
                                                    (("1"
                                                      (ASSERT)
                                                      NIL
                                                      NIL))
                                                    NIL))
                                                  NIL))
                                                NIL))
                                              NIL))
                                            NIL))
                                          NIL))
                                        NIL))
                                      NIL)
                                     ("2"
                                      (INST?)
                                      (("2" (ASSERT) NIL NIL))
                                      NIL))
                                    NIL))
                                  NIL))
                                NIL))
                              NIL))
                            NIL))
                          NIL))
                        NIL))
                      NIL))
                    NIL))
                  NIL))
                NIL))
              NIL))
            NIL))
          NIL))
        NIL))
      NIL))
    NIL)
   (|edge_in_card_gt_1| "" (SKOSIMP*)
    (("" (TYPEPRED "e!1")
      (("" (SKOSIMP*)
        (("" (REPLACE -1)
          (("" (HIDE -1)
            (("" (TYPEPRED "G!1")
              (("" (ASSERT)
                (("" (INST?)
                  (("1" (ASSERT)
                    (("1" (HIDE -2)
                      (("1" (INST-CP -1 "x!1")
                        (("1" (INST -1 "y!1")
                          (("1" (EXPAND "dbl")
                            (("1"
                              (CASE "subset?(add(x!1,singleton(y!1)),vert(G!1))
 ")
                              (("1" (LEMMA "card_subset[T]")
                                (("1"
                                  (INST?)
                                  (("1"
                                    (REWRITE "card_add")
                                    (("1"
                                      (REWRITE "card_singleton")
                                      (("1"
                                        (ASSERT)
                                        (("1"
                                          (HIDE -2)
                                          (("1"
                                            (EXPAND "singleton")
                                            (("1" (ASSERT) NIL NIL))
                                            NIL))
                                          NIL))
                                        NIL))
                                      NIL))
                                    NIL))
                                  NIL))
                                NIL)
                               ("2" (GRIND) NIL NIL))
                              NIL))
                            NIL))
                          NIL))
                        NIL))
                      NIL))
                    NIL)
                   ("2" (INST?) (("2" (ASSERT) NIL NIL)) NIL))
                  NIL))
                NIL))
              NIL))
            NIL))
          NIL))
        NIL))
      NIL))
    NIL)
   (|not_singleton_2_vert| "" (SKOSIMP*)
    (("" (EXPAND "empty?")
      (("" (LEMMA "card_empty?[T]")
        (("" (INST?)
          (("" (IFF)
            (("" (ASSERT)
              (("" (EXPAND "singleton?")
                (("" (EXPAND "size")
                  (("" (LEMMA "card_2_has_2[T]")
                    (("" (INST?) (("" (ASSERT) NIL NIL)) NIL)) NIL))
                  NIL))
                NIL))
              NIL))
            NIL))
          NIL))
        NIL))
      NIL))
    NIL)
   (|singleton_graph_TCC1| "" (SKOSIMP*)
    (("" (EXPAND "emptyset") (("" (PROPAX) NIL NIL)) NIL)) NIL)
   (|is_sing| "" (SKOSIMP*)
    (("" (EXPAND "singleton_graph")
      (("" (EXPAND "singleton?")
        (("" (EXPAND "size") (("" (REWRITE "card_singleton") NIL NIL))
          NIL))
        NIL))
      NIL))
    NIL)
   (|finite_dbl| "" (SKOSIMP*)
    (("" (CASE-REPLACE "dbl[T](x!1, y!1) = add(x!1,singleton(y!1))")
      (("1" (HIDE -1) (("1" (REWRITE "finite_add") NIL NIL)) NIL)
       ("2" (HIDE 2)
        (("2" (APPLY-EXTENSIONALITY :HIDE? T) (("2" (GRIND) NIL NIL))
          NIL))
        NIL))
      NIL))
    NIL)
   (|finite_doubleton| "" (SKOSIMP*)
    (("" (TYPEPRED "e!1")
      (("" (SKOSIMP*)
        (("" (REPLACE -1)
          (("" (HIDE -1) (("" (REWRITE "finite_dbl") NIL NIL)) NIL))
          NIL))
        NIL))
      NIL))
    NIL)
   (|card_dbl_TCC1| "" (SKOSIMP*) (("" (REWRITE "finite_dbl") NIL NIL))
    NIL)
   (|card_dbl| "" (SKOSIMP*)
    (("" (CASE-REPLACE "dbl(x!1, y!1) = add(x!1,singleton(y!1))")
      (("1" (HIDE -1)
        (("1" (REWRITE "card_add")
          (("1" (REWRITE "card_singleton")
            (("1" (EXPAND "singleton") (("1" (ASSERT) NIL NIL)) NIL))
            NIL))
          NIL))
        NIL)
       ("2" (HIDE 3)
        (("2" (APPLY-EXTENSIONALITY 1 :HIDE? T) (("2" (GRIND) NIL NIL))
          NIL))
        NIL))
      NIL))
    NIL)
   (|dbl_TCC1| "" (SKOSIMP*) (("" (REWRITE "finite_dbl") NIL NIL)) NIL))
  
  
  $$$paths.pvs
  paths[T: TYPE]: THEORY
  
  BEGIN
  
     IMPORTING graphs[T], walks[T], seq_def
  
     G: VAR graph[T]
     x,y,s,t: VAR T
     i,j: VAR nat
     p,ps: VAR prewalk
  
     path?(G,ps): bool = walk?(G,ps) AND (FORALL (i,j: below(l(ps))):
                                            i /= j IMPLIES ps(i) /= ps(j))
  
     Path(G): TYPE = {p: prewalk | path?(G,p)}
  
     path_from?(G,ps,s,t): bool = path?(G,ps) AND from?(ps,s,t)
  
     Path_from(G,s,t): TYPE = {p: prewalk | path_from?(G,p,s,t)}
  
     endpoint?(i: nat, w: prewalk): bool = (i = 0) OR (i = l(w)-1)
  
     path?_verts     : LEMMA path?(G,ps) IMPLIES verts_in?(G,ps)
  
     path_from_l     : LEMMA path_from?(G,ps,s,t) AND s /= t IMPLIES l(ps) >= 2
  
     path_from_in    : LEMMA path_from?(G, ps, s, t) IMPLIES 
                            vert(G)(s) AND vert(G)(t)
  
  
     path?_caret     : LEMMA i <= j AND j < l(ps) AND path?(G,ps) 
                              IMPLIES path?(G,ps^(i,j))
  
     path_from?_caret: LEMMA  i <= j AND j < l(ps) AND path_from?(G, ps, s, t)
                           IMPLIES path_from?(G, ps^(i, j),seq(ps)(i),seq(ps)(j
 ))
  
     path?_rev       : LEMMA path?(G,ps) IMPLIES path?(G,rev(ps))
  
  
     path?_gen_seq2  : LEMMA vert(G)(x) AND vert(G)(y) AND
                              edge?(G)(x,y) IMPLIES path?(G,gen_seq2(G,x,y))
  
     path?_add1      : LEMMA path?(G,p) AND vert(G)(x)
                              AND edge?(G)(seq(p)(l(p)-1),x)
                              AND NOT verts_of(p)(x)
                              IMPLIES path?(G,add1(p,x))                      
  
     path?_trunc1      : LEMMA path?(G,p) AND l(p) > 1 IMPLIES
                              path_from?(G,trunc1(p),seq(p)(0),seq(p)(l(p)-2)) 
  
  
  %  AUTO_REWRITE+ path?_verts  % path?(G,ps) IMPLIES verts_in?(G,ps)
  %  AUTO_REWRITE+ path_from_l  % path?(G,ps,s,t) AND s /= t IMPLIES l(ps) >= 2
  %  AUTO_REWRITE+ path_from_in % path?(G,ps,s,t) -> vert(G)(s) AND vert(G)(t)
  
  
  END paths
  
  
  
  $$$paths.prf
  (|paths|
   (|path?_verts| "" (SKOSIMP*)
    (("" (EXPAND "path?")
      (("" (EXPAND "walk?") (("" (FLATTEN) (("" (PROPAX) NIL)))))))))
   (|path_from_l| "" (SKOSIMP*)
    (("" (EXPAND "path_from?")
      (("" (FLATTEN)
        (("" (EXPAND "path?")
          (("" (FLATTEN)
            (("" (EXPAND "from?")
              (("" (FLATTEN)
                (("" (EXPAND "fseq")
                  (("" (INST -2 "0" "(l(ps!1)-1)")
                    (("" (SPLIT -2)
                      (("1" (ASSERT) NIL) ("2" (ASSERT) NIL))))))))))))))))))))
 )
   (|path_from_in| "" (SKOSIMP*)
    (("" (EXPAND "path_from?")
      (("" (FLATTEN)
        (("" (EXPAND "path?")
          (("" (FLATTEN)
            (("" (HIDE -2)
              (("" (EXPAND "walk?")
                (("" (FLATTEN)
                  (("" (HIDE -2)
                    (("" (EXPAND "from?")
                      (("" (EXPAND "verts_in?")
                        (("" (FLATTEN)
                          (("" (INST-CP -1 "0")
                            (("" (INST -1 "l(ps!1) - 1")
                              (("" (ASSERT) NIL)))))))))))))))))))))))))))))
   (|path?_caret_TCC1| "" (SUBTYPE-TCC) NIL)
   (|path?_caret_TCC2| "" (SUBTYPE-TCC) NIL)
   (|path?_caret| "" (SKOSIMP*)
    (("" (EXPAND "path?")
      (("" (EXPAND "fseq")
        (("" (FLATTEN)
          (("" (SPLIT 1)
            (("1" (EXPAND "walk?")
              (("1" (SPLIT 1)
                (("1" (FLATTEN)
                  (("1" (HIDE -4 -5)
                    (("1" (EXPAND "verts_in?")
                      (("1" (SKOSIMP*)
                        (("1" (TYPEPRED "i!2")
                          (("1" (EXPAND "^")
                            (("1" (LIFT-IF)
                              (("1" (ASSERT) (("1" (INST?) NIL)))))))
                           ("2" (SKOSIMP*) NIL)))))))))))
                 ("2" (SKOSIMP*)
                  (("2" (HIDE -6)
                    (("2" (EXPAND "fseq")
                      (("2" (EXPAND "edge?")
                        (("2" (INST - "n!1+i!1")
                          (("2" (EXPAND "^") (("2" (ASSERT) NIL))))))))))))))))
 )
             ("2" (SKOSIMP*)
              (("2" (EXPAND "^")
                (("2" (ASSERT)
                  (("2" (INST - "i!1+i!2" "i!1+j!2")
                    (("1" (ASSERT) NIL)
                     ("2" (TYPEPRED "i!2")
                      (("2" (TYPEPRED "j!2")
                        (("2" (EXPAND "^") (("2" (ASSERT) NIL)))))))
                     ("3" (TYPEPRED "i!2")
                      (("3" (TYPEPRED "i!1")
                        (("3" (EXPAND "^")
                          (("3" (ASSERT) NIL)))))))))))))))))))))))))
   (|path_from?_caret_TCC1| "" (SUBTYPE-TCC) NIL)
   (|path_from?_caret_TCC2| "" (SUBTYPE-TCC) NIL)
   (|path_from?_caret_TCC3| "" (SUBTYPE-TCC) NIL)
   (|path_from?_caret| "" (SKOSIMP*)
    (("" (EXPAND "path_from?")
      (("" (FLATTEN)
        (("" (REWRITE "path?_caret")
          (("" (EXPAND "from?") (("" (EXPAND "^") (("" (ASSERT) NIL))))))))))))
 )
   (|path?_rev_TCC1| "" (SUBTYPE-TCC) NIL)
   (|path?_rev| "" (SKOSIMP*)
    (("" (EXPAND "path?")
      (("" (FLATTEN)
        (("" (REWRITE "walk?_rev")
          (("" (ASSERT)
            (("" (SKOSIMP*)
              (("" (EXPAND "fseq")
                (("" (TYPEPRED "i!1")
                  (("" (TYPEPRED "j!1")
                    (("" (EXPAND "rev")
                      (("" (INST?)
                        (("1" (INST - "l(ps!1) - 1 - j!1")
                          (("1" (ASSERT) NIL) ("2" (ASSERT) NIL)))
                         ("2" (ASSERT) NIL)))))))))))))))))))))))
   (|path?_gen_seq2_TCC1| "" (SUBTYPE-TCC) NIL)
   (|path?_gen_seq2_TCC2| "" (SUBTYPE-TCC) NIL)
   (|path?_gen_seq2| "" (SKOSIMP*)
    (("" (EXPAND "gen_seq2")
      (("" (EXPAND "path?")
        (("" (EXPAND "fseq")
          (("" (SPLIT +)
            (("1" (EXPAND "walk?")
              (("1" (SPLIT +)
                (("1" (EXPAND "verts_in?") (("1" (PROPAX) NIL)))
                 ("2" (SKOSIMP*)
                  (("2" (EXPAND "fseq")
                    (("2" (LIFT-IF) (("2" (GROUND) NIL)))))))))))
             ("2" (SKOSIMP*)
              (("2" (EXPAND "edge?")
                (("2" (FLATTEN)
                  (("2" (LIFT-IF) (("2" (GROUND) NIL)))))))))))))))))))
   (|path?_add1_TCC1| "" (SUBTYPE-TCC) NIL)
   (|path?_add1| "" (SKOSIMP*)
    (("" (EXPAND "path?")
      (("" (FLATTEN)
        (("" (SPLIT +)
          (("1" (REWRITE "walk?_add1") NIL)
           ("2" (SKOSIMP*)
            (("2" (EXPAND "fseq")
              (("2" (EXPAND "add1")
                (("2" (LIFT-IF)
                  (("2" (LIFT-IF)
                    (("2" (EXPAND "verts_of")
                      (("2" (TYPEPRED "i!1")
                        (("2" (TYPEPRED "j!1")
                          (("2" (EXPAND "add1")
                            (("2" (GROUND)
                              (("1" (INST - "i!1" "j!1") (("1" (ASSERT) NIL)))
                               ("2" (EXPAND "fseq")
                                (("2" (INST + "j!1") (("2" (ASSERT) NIL)))))
                               ("3" (INST + "i!1")
                                (("3" (EXPAND "fseq")
                                  (("3" (PROPAX)
                                    NIL)))))))))))))))))))))))))))))))))
   (|path?_trunc1_TCC1| "" (SUBTYPE-TCC) NIL)
   (|path?_trunc1_TCC2| "" (SUBTYPE-TCC) NIL)
   (|path?_trunc1_TCC3| "" (SUBTYPE-TCC) NIL)
   (|path?_trunc1| "" (SKOSIMP*)
    (("" (EXPAND "path_from?")
      (("" (SPLIT 1)
        (("1" (EXPAND "trunc1")
          (("1" (LEMMA "path?_caret")
            (("1" (INST?) (("1" (ASSERT) NIL) ("2" (ASSERT) NIL)))))))
         ("2" (EXPAND "from?")
          (("2" (EXPAND "trunc1")
            (("2" (EXPAND "^") (("2" (ASSERT) NIL))))))))))))))

How-To-Repeat: 

Fix: 
Home Intro Announce FAQ Docs Download Mail Status Bugs Users Related FM Tools