--> I) Base case
open INV
  red inv11(init,pair) .
close

--> II) Inductive ceses
--> 1) send1(s)
--> ~(bit1(s) = bit2(s)), pair = < bit1(s) , pac(next(s)) >
open ISTEP
-- arbitrary values
-- assumptions
  eq (bit1(s) = bit2(s)) = false .
  eq pair = < bit1(s) , pac(next(s)) > .
-- successor state
  eq s' = send1(s) .
-- check
  red istep11 .
close
--> ~(bit1(s) = bit2(s)), ~(pair = < bit1(s) , pac(next(s)) >), pair \in fifo1(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq (bit1(s) = bit2(s)) = false .
  eq (pair = < bit1(s) , pac(next(s)) >) = false .
  eq pair \in fifo1(s) = true .
-- successor state
  eq s' = send1(s) .
-- check
  red istep11 .
close
--> ~(bit1(s) = bit2(s)), ~(pair = < bit1(s) , pac(next(s)) >), ~(pair \in fifo1(s))
open ISTEP
-- arbitrary values
-- assumptions
  eq (bit1(s) = bit2(s)) = false .
  eq (pair = < bit1(s) , pac(next(s)) >) = false .
  eq pair \in fifo1(s) = false .
-- successor state
  eq s' = send1(s) .
-- check
  red queue-lemma5(fifo1(s),pair,< bit1(s),pac(next(s)) >) implies istep11 .
close
--> bit1(s) = bit2(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq bit1(s) = bit2(s) .
-- successor state
  eq s' = send1(s) .
-- check
  red istep11 .
close

--> 2) rec1(s)
--> c-rec1(s), bit1(s) = b
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq bit1(s) = b .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep11 .
close
--> c-rec1(s), ~(bit1(s) = b), bit2(s) = b
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq (bit1(s) = b) = false .
  eq bit2(s) = b .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep11 .
close
--> c-rec1(s), ~(bit1(s) = b), ~(bit2(s) = b)
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq (bit1(s) = b) = false .
  eq (bit2(s) = b) = false .
-- successor state
  eq s' = rec1(s) .
-- check
  red inv2(s) implies istep11 .
close
--> ~c-rec1(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-rec1(s) = false .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep11 .
close

--> 3) send2(s)
open ISTEP
-- arbitrary values
-- assumptions
-- successor state
  eq s' = send2(s) .
-- check
  red istep11 .
close

--> 4) rec2(s)
--> c-rec2(s), ~(bit2(s) = fst(p)), ~(pair \in ps)
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
--
  eq (bit2(s) = fst(p)) = false .
  eq pair \in ps = false .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep11 .
close
--> c-rec2(s), ~(bit2(s) = fst(p)), pair \in ps
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
--
  eq (bit2(s) = fst(p)) = false .
  eq pair \in ps = true .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep11 .
close
--> c-rec2(s), bit2(s) = fst(p), ~(pair \in ps)
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
--
  eq bit2(s) = fst(p) .
  eq pair \in ps = false .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep11 .
close
--> c-rec2(s), bit2(s) = fst(p), pair \in ps, ~(p = pair), 
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
--
  eq bit2(s) = fst(p) .
  eq pair \in ps = true .
  eq (p = pair) = false .
-- successor state
  eq s' = rec2(s) .
-- check
  red inv6(s,pair) implies istep11 .
close
--> c-rec2(s), bit2(s) = fst(p), pair \in ps, ~(p = pair), 
--> pair = < bit(s),pac(next(s)) >
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
--
  eq bit2(s) = fst(p) .
  eq pair \in ps = true .
  eq p = pair .
  eq pair = < bit1(s),pac(next(s)) > .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep11 .
close
--> c-rec2(s), bit2(s) = fst(p), pair \in ps, ~(p = pair), 
--> ~(pair = < bit(s),pac(next(s)) >)
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
--
  eq bit2(s) = fst(p) .
  eq pair \in ps = true .
  eq p = pair .
  eq (pair = < bit1(s),pac(next(s)) >) = false .
-- successor state
  eq s' = rec2(s) .
-- check
  red (pair-lemma1(pair,< bit1(s),pac(next(s)) >) and inv3(s)) 
      implies istep11 .
close
--> ~c-rec2(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-rec2(s) = false .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep11 .
close

--> 5) drop1(s)
--> c-drop1(s), ~(pair \in ps)
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-drop1(s) = true .
  eq fifo1(s) = p,ps .
--
  eq pair \in ps = false .
-- successor state
  eq s' = drop1(s) .
-- check
  red istep11 .
close
--> c-drop1(s), pair \in ps
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-drop1(s) = true .
  -- eq (fifo1(s) = empty) = false .
  eq fifo1(s) = p,ps .
--
  -- eq pair \in ps = true .
  eq pair \in ps = true .
-- successor state
  eq s' = drop1(s) .
-- check
  red istep11 .
close
--> ~c-drop1(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-drop1(s) = false .
-- successor state
  eq s' = drop1(s) .
-- check
  red istep11 .
close

--> 6) dup1(s)
--> c-dup1(s), ~(pair \in p,p,ps)
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-dup1(s) = true .
  eq fifo1(s) = p,ps .
--
  eq pair \in p,p,ps = false .
-- successor state
  eq s' = dup1(s) .
-- check
  red istep11 .
close
--> c-dup1(s), pair \in p,p,ps
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-dup1(s) = true .
  eq fifo1(s) = p,ps .
--
  -- eq pair \in p,p,ps = true .
  eq (pair = p xor pair \in ps and pair = p xor pair \in ps) 
     = true .
-- successor state
  eq s' = dup1(s) .
-- check
  red istep11 .
close
--> ~c-dup1(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-dup1(s) = false .
-- successor state
  eq s' = dup1(s) .
-- check
  red istep11 .
close

--> 7) drop2(s)
--> c-drop2(s)
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-drop2(s) = true .
  eq fifo2(s) = b,bs .
-- successor state
  eq s' = drop2(s) .
-- check
  red istep11 .
close
--> ~c-drop2(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-drop2(s) = false .
-- successor state
  eq s' = drop2(s) .
-- check
  red istep11 .
close

--> 8) dup2(s)
--> c-dup2(s)
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-dup2(s) = true .
  eq fifo2(s) = b,bs .
-- successor state
  eq s' = dup2(s) .
-- check
  red istep11 .
close
--> ~c-dup2(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-dup2(s) = false .
-- successor state
  eq s' = dup2(s) .
-- check
  red istep11 .
close

--> QED