--> I) Base case
open INV
  red inv4(init,bit) .
close

--> II) Inductive cese
--> 1) send1(s)
open ISTEP
-- arbitrary values
-- assumptions
-- successor state
  eq s' = send1(s) .
-- check
  red istep4 .
close

--> 2) rec1(s)
--> c-rec1(s), bs = empty
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq bs = empty .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep4 .
close
--> c-rec1(s), bs = b1,bs1, b1 = bit
open ISTEP
-- arbitrary values
  ops b b1 : -> Bool .
  ops bs bs1 : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq bs = b1,bs1 .
  eq b1 = bit .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep4 .
close
--> c-rec1(s), bs = b1,bs1, ~(b1 = bit), ~(bit \in bs1)
open ISTEP
-- arbitrary values
  ops b b1 : -> Bool .
  ops bs bs1 : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq bs = b1,bs1 .
  eq (b1 = bit) = false .
  eq bit \in bs1 = false .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep4 .
close
--> c-rec1(s), bs = b1,bs1, ~(b1 = bit), bit \in bs1, 
--> b = bit
open ISTEP
-- arbitrary values
  ops b b1 : -> Bool .
  ops bs bs1 : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq bs = b1,bs1 .
  eq (b1 = bit) = false .
  eq bit \in bs1 = true .
  eq b = bit .
-- successor state
  eq s' = rec1(s) .
-- check
  red inv8(s,b,b1,bit,empty,bs1) implies istep4 .
close
--> c-rec1(s), bs = b1,bs1, ~(b1 = bit), bit \in bs1, 
--> ~(b = bit), bit1(s) = b
open ISTEP
-- arbitrary values
  ops b b1 : -> Bool .
  ops bs bs1 : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq bs = b1,bs1 .
  -- eq (b1 = bit) = false .
  eq b1 = not bit .
  --
  eq bit \in bs1 = true .
  -- eq (b = bit) = false .
  eq b = not bit .
  --
  eq bit1(s) = b .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep4 .
close
--> c-rec1(s), bs = b1,bs1, ~(b1 = bit), bit \in bs1, 
--> ~(b = bit), ~(bit1(s) = b)
open ISTEP
-- arbitrary values
  ops b b1 : -> Bool .
  ops bs bs1 : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq bs = b1,bs1 .
  eq (b1 = bit) = false .
  eq bit \in bs1 = true .
  eq (b = bit) = false .
  eq (bit1(s) = b) = false .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep4 .
close
--> ~c-rec1(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-rec1(s) = false .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep4 .
close

--> 3) send2(s)
--> fifo2(s) = empty, bit2(s) = bit
open ISTEP
-- arbitrary values
-- assumptions
  eq fifo2(s) = empty .
  eq bit2(s) = bit .
-- successor state
  eq s' = send2(s) .
-- check
  red istep4 .
close
--> fifo2(s) = empty, ~(bit2(s) = bit)
open ISTEP
-- arbitrary values
-- assumptions
  eq fifo2(s) = empty .
  eq (bit2(s) = bit) = false .
-- successor state
  eq s' = send2(s) .
-- check
  red istep4 .
close
--> fifo2(s) = b,bs, b = bit
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  eq fifo2(s) = b,bs .
  eq b = bit .
-- successor state
  eq s' = send2(s) .
-- check
  red istep4 .
close
--> fifo2(s) = b,bs, ~(b = bit), bit \in bs
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  eq fifo2(s) = b,bs .
  eq (b = bit) = false .
  eq bit \in bs = true .
-- successor state
  eq s' = send2(s) .
-- check
  red istep4 .
close
--> fifo2(s) = b,bs, ~(b = bit), ~(bit \in bs), bit2(s) = bit
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  eq fifo2(s) = b,bs .
  eq (b = bit) = false .
  eq bit \in bs = false .
  eq bit2(s) = bit .
-- successor state
  eq s' = send2(s) .
-- check
  red inv2(s) implies istep4 .
close
--> fifo2(s) = b,bs, ~(b = bit), ~(bit \in bs), 
--> ~(bit2(s) = bit), bit \in put(bs,bit2(s))
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  eq fifo2(s) = b,bs .
  eq (b = bit) = false .
  eq bit \in bs = false .
  eq (bit2(s) = bit) = false .
  eq bit \in put(bs,bit2(s)) = true .
-- successor state
  eq s' = send2(s) .
-- check
  red queue-lemma5(bs,bit,bit2(s)) implies istep4 .
close
--> fifo2(s) = b,bs, ~(bit2(s) = bit), ~(bit \in bs), 
--> ~(bit2(s) = bit), ~(bit \in put(bs,bit2(s)))
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  eq fifo2(s) = b,bs .
  eq (b = bit) = false .
  eq bit \in bs = false .
  eq (bit2(s) = bit) = false .
  eq bit \in put(bs,bit2(s)) = false .
-- successor state
  eq s' = send2(s) .
-- check
  red istep4 .
close

--> 4) rec2(s)
--> c-rec2(s)
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep4 .
close
--> c-rec2(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-rec2(s) = false .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep4 .
close

--> 5) drop1(s)
--> c-drop1(s)
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-drop1(s) = true .
  eq fifo1(s) = p,ps .
-- successor state
  eq s' = drop1(s) .
-- check
  red istep4 .
close
--> ~c-drop1(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-drop1(s) = false .
-- successor state
  eq s' = drop1(s) .
-- check
  red istep4 .
close

--> 6) dup1(s)
--> c-dup1(s)
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-dup1(s) = true .
  eq fifo1(s) = p,ps .
-- successor state
  eq s' = dup1(s) .
-- check
  red istep4 .
close
--> ~c-dup1(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-dup1(s) = false .
-- successor state
  eq s' = dup1(s) .
-- check
  red istep4 .
close

--> 7) drop2(s)
--> c-drop2(s), bs = empty
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-drop2(s) = true .
  eq fifo2(s) = b,bs .
--
  eq bs = empty .
-- successor state
  eq s' = drop2(s) .
-- check
  red istep4 .
close
--> c-drop2(s), bs = b1,bs1, b1 = bit
open ISTEP
-- arbitrary values
  ops b b1 : -> Bool .
  ops bs bs1 : -> BFifo .
-- assumptions
  -- eq c-drop2(s) = true .
  eq fifo2(s) = b,bs .
--
  eq bs = b1,bs1 .
  eq b1 = bit .
-- successor state
  eq s' = drop2(s) .
-- check
  red istep4 .
close
--> c-drop2(s), bs = b1,bs1, b1 = bit, ~(bit \in bs1)
open ISTEP
-- arbitrary values
  ops b b1 : -> Bool .
  ops bs bs1 : -> BFifo .
-- assumptions
  -- eq c-drop2(s) = true .
  eq fifo2(s) = b,bs .
--
  eq bs = b1,bs1 .
  eq (b1 = bit) = false .
  eq bit \in bs1 = false .
-- successor state
  eq s' = drop2(s) .
-- check
  red istep4 .
close
--> c-drop2(s), bs = b1,bs1, b1 = bit, bit \in bs1,
--> b = bit
open ISTEP
-- arbitrary values
  ops b b1 : -> Bool .
  ops bs bs1 : -> BFifo .
-- assumptions
  -- eq c-drop2(s) = true .
  eq fifo2(s) = b,bs .
--
  eq bs = b1,bs1 .
  eq (b1 = bit) = false .
  eq bit \in bs1 = true .
  eq b = bit .
-- successor state
  eq s' = drop2(s) .
-- check
  red inv8(s,b,b1,bit,empty,bs1) implies istep4 .
close
--> c-drop2(s), bs = b1,bs1, b1 = bit, bit \in bs1,
--> ~(b = bit), b = b1
open ISTEP
-- arbitrary values
  ops b b1 : -> Bool .
  ops bs bs1 : -> BFifo .
-- assumptions
  -- eq c-drop2(s) = true .
  eq fifo2(s) = b,bs .
--
  eq bs = b1,bs1 .
  eq (b1 = bit) = false .
  eq bit \in bs1 = true .
  eq (b = bit) = false .
  eq b = b1 .
-- successor state
  eq s' = drop2(s) .
-- check
  red istep4 .
close
--> c-drop2(s), bs = b1,bs1, b1 = bit, bit \in bs1,
--> ~(b = bit), ~(b = b1)
open ISTEP
-- arbitrary values
  ops b b1 : -> Bool .
  ops bs bs1 : -> BFifo .
-- assumptions
  -- eq c-drop2(s) = true .
  eq fifo2(s) = b,bs .
--
  eq bs = b1,bs1 .
  eq (b1 = bit) = false .
  eq bit \in bs1 = true .
  eq (b = bit) = false .
  eq (b = b1) = false .
-- successor state
  eq s' = drop2(s) .
-- check
  red eqbool-lemma2(b,b1,bit) implies istep4 .
close
--> ~c-drop2(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-drop2(s) = false .
-- successor state
  eq s' = drop2(s) .
-- check
  red istep4 .
close

--> 8) dup2(s)
--> c-dup2(s), bit = b
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-dup2(s) = true .
  eq fifo2(s) = b,bs .
--
  eq bit = b .
-- successor state
  eq s' = dup2(s) .
-- check
  red istep4 .
close
--> c-dup2(s), ~(bit = b)
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-dup2(s) = true .
  eq fifo2(s) = b,bs .
--
  eq (bit = b) = false .
-- successor state
  eq s' = dup2(s) .
-- check
  red istep4 .
close
--> ~c-dup2(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-dup2(s) = false .
-- successor state
  eq s' = dup2(s) .
-- check
  red istep4 .
close

--> QED