--> I) Base case
open INV
  red inv3(init) .
close

--> II) Inductive cese
--> 1) send1(s)
--> fifo1(s) = empty
open ISTEP
-- arbitrary values
-- assumptions
  eq fifo1(s) = empty .
-- successor state
  eq s' = send1(s) .
-- check
  red istep3 .
close
--> fifo1(s) = p,ps
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  eq fifo1(s) = p,ps  .
-- successor state
  eq s' = send1(s) .
-- check
  red istep3 .
close

--> 2) rec1(s)
--> c-rec1(s), bit1(s) = b
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq bit1(s) = b .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep3 .
close
--> c-rec1(s), ~(bit1(s) = b), ~(bit2(s) = b)
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq (bit1(s) = b) = false .
  eq (bit2(s) = b) = false .
-- successor state
  eq s' = rec1(s) .
-- check
  red inv2(s) implies istep3 .
close
--> c-rec1(s), ~(bit1(s) = b), bit2(s) = b, 
--> ~(pac(next(s)) = snd(top(fifo1(s))))
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq (bit1(s) = b) = false .
  eq bit2(s) = b .
  eq (pac(next(s)) = snd(top(fifo1(s)))) = false .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep3 .
close
--> c-rec1(s), ~(bit1(s) = b), bit2(s) = b, 
--> pac(next(s)) = snd(top(fifo1(s))), bit1(s) = fst(top(fifo1(s)))
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq (bit1(s) = b) = false .
  eq bit2(s) = b .
  eq pac(next(s)) = snd(top(fifo1(s))) .
  eq fst(top(fifo1(s))) = bit1(s) .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep3 .
close
--> c-rec1(s), ~(bit1(s) = b), bit2(s) = b, 
--> pac(next(s)) = snd(top(fifo1(s))), ~(bit1(s) = fst(top(fifo1(s))))
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq (bit1(s) = b) = false .
  eq bit2(s) = b .
  eq pac(next(s)) = snd(top(fifo1(s))) .
  eq (bit1(s) = fst(top(fifo1(s)))) = false .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep3 .
close
--> ~c-rec1(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-rec1(s) = false .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep3 .
close

--> 3) send2(s)
open ISTEP
-- arbitrary values
-- assumptions
-- successor state
  eq s' = send2(s) .
-- check
  red istep3 .
close

--> 4) rec2(s)
--> c-rec2(s),  ps = empty
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = empty .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep3 .
close
--> c-rec2(s), fifo1(s) = p,p1,ps1, bit2(s) = fst(p), 
--> p1 = p
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = p1,ps1 .
  eq bit2(s) = fst(p) .
  eq p1 = p .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep3 .
close
--> c-rec2(s), ps = p1,ps1, bit2(s) = fst(p), 
--> ~(p1 = p)
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = p1,ps1 .
  eq bit2(s) = fst(p) .
  eq (p1 = p) = false .
-- successor state
  eq s' = rec2(s) .
-- check
  red inv6(s,p1) implies istep3 .
close
--> c-rec2(s), ps = p1,ps1, ~(bit2(s) = fst(p)), 
--> p1 = p
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = p1,ps1 .
  eq (bit2(s) = fst(p)) = false .
  eq p1 = p .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep3 .
close
--> c-rec2(s), ps = p1,ps1, ~(bit2(s) = fst(p)), 
--> ~(p1 = p), ~(fst(p1) = bit2(s))
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = p1,ps1 .
  eq (bit2(s) = fst(p)) = false .
  eq (p1 = p) = false .
  eq (fst(p1) = bit2(s)) = false .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep3 .
close
--> c-rec2(s), fifo1(s) = p,p1,ps1, ~(bit2(s) = fst(p)), 
--> ~(p1 = p), fst(p1) = bit2(s), 
--> bit1(s) = bit2(s) and pac(next(s)) = snd(p1)
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = p1,ps1 .
  eq (bit2(s) = fst(p)) = false .
  eq (p1 = p) = false .
  eq fst(p1) = bit2(s) .
  eq (bit1(s) = bit2(s) and pac(next(s)) = snd(p1)) = true .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep3 .
close
--> c-rec2(s), fifo1(s) = p,p1,ps1, ~(bit2(s) = fst(p)), 
--> ~(p1 = p), fst(p1) = bit2(s), 
--> ~(bit1(s) = bit2(s) and pac(next(s)) = snd(p1))
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = p1,ps1 .
  eq (bit2(s) = fst(p)) = false .
  eq (p1 = p) = false .
  eq fst(p1) = bit2(s) .
  eq (bit1(s) = bit2(s) and pac(next(s)) = snd(p1)) = false .
-- successor state
  eq s' = rec2(s) .
-- check
  red inv7(s,p1) implies istep3 .
close
--> ~c-rec2(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-rec2(s) = false .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep3 .
close

--> 5) drop1(s)
--> c-drop1(s), ps = empty
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-drop1(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = empty .
-- successor state
  eq s' = drop1(s) .
-- check
  red istep3 .
close
--> c-drop1(s), ps = p1,ps1
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-drop1(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = p1,ps1 .
-- successor state
  eq s' = drop1(s) .
-- check
  red inv7(s,p1) implies istep3 .
close
--> ~c-drop1(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-drop1(s) = false .
-- successor state
  eq s' = drop1(s) .
-- check
  red istep3 .
close

--> 6) dup1(s)
--> c-dup1(s)
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-dup1(s) = true .
  eq fifo1(s) = p,ps .
-- successor state
  eq s' = dup1(s) .
-- check
  red istep3 .
close
--> ~c-dup1(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-dup1(s) = false .
-- successor state
  eq s' = dup1(s) .
-- check
  red istep3 .
close

--> 7) drop2(s)
--> c-drop2(s)
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-drop2(s) = true .
  eq fifo2(s) = b,bs .
-- successor state
  eq s' = drop2(s) .
-- check
  red istep3 .
close
--> ~c-drop2(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-drop2(s) = false .
-- successor state
  eq s' = drop2(s) .
-- check
  red istep3 .
close

--> 8) dup2(s)
--> c-dup2(s)
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-dup2(s) = true .
  eq fifo2(s) = b,bs .
-- successor state
  eq s' = dup2(s) .
-- check
  red istep3 .
close
--> ~c-dup2(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-dup2(s) = false .
-- successor state
  eq s' = dup2(s) .
-- check
  red istep3 .
close

--> QED