--> I) Base case
open INV
  red inv7(init,pair) .
close

--> II) Inductive cese
--> 1) send1(s)
--> fifo1(s) = empty, pair = < bit1(s) , pac(next(s)) >
open ISTEP
-- arbitrary values
-- assumptions
  eq fifo1(s) = empty .
  eq pair = < bit1(s) , pac(next(s)) > .
-- successor state
  eq s' = send1(s) .
-- check
  red istep7 .
close
--> fifo1(s) = empty, ~(pair = < bit1(s) , pac(next(s)) >)
open ISTEP
-- arbitrary values
-- assumptions
  eq fifo1(s) = empty .
  eq (pair = < bit1(s) , pac(next(s)) >) = false .
-- successor state
  eq s' = send1(s) .
-- check
  red istep7 .
close
--> fifo1(s) = p,ps, p = pair
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  eq fifo1(s) = p,ps .
  eq p = pair .
-- successor state
  eq s' = send1(s) .
-- check
  red istep7 .
close
--> fifo1(s) = p,ps, ~(p = pair), pair \in ps
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  eq fifo1(s) = p,ps .
  eq (p = pair) = false .
  eq pair \in ps = true .
-- successor state
  eq s' = send1(s) .
-- check
  red istep7 .
close
--> fifo1(s) = p,ps, ~(p = pair), ~(pair \in ps), 
--> bit2(s) = fst(p), p = < bit1(s),pac(next(s)) >, 
--> pair \in put(ps,< bit1(s),pac(next(s)) >)
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  eq fifo1(s) = p,ps .
  -- eq (p = pair) = false .
  eq (< bit1(s),pac(next(s)) > = pair) = false .
  --
  eq pair \in ps = false .
  eq bit2(s) = fst(p) .
  eq p = < bit1(s),pac(next(s)) > .
  eq pair \in put(ps,< bit1(s),pac(next(s)) >) = true .
-- successor state
  eq s' = send1(s) .
-- check
  red queue-lemma5(ps,pair,< bit1(s),pac(next(s)) >) 
      implies istep7 .
close
--> fifo1(s) = p,ps, ~(p = pair), ~(pair \in ps), 
--> bit2(s) = fst(p), p = < bit1(s),pac(next(s)) >, 
--> ~(pair \in put(ps,< bit1(s),pac(next(s)) >))
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  eq fifo1(s) = p,ps .
  -- eq (p = pair) = false .
  eq (< bit1(s),pac(next(s)) > = pair) = false .
  --
  eq pair \in ps = false .
  eq bit2(s) = fst(p) .
  eq p = < bit1(s),pac(next(s)) > .
  eq pair \in put(ps,< bit1(s),pac(next(s)) >) = false .
-- successor state
  eq s' = send1(s) .
-- check
  red istep7 .
close
--> fifo1(s) = p,ps, ~(p = pair), ~(pair \in ps), 
--> bit2(s) = fst(p), ~(p = < bit1(s),pac(next(s)) >)
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  eq fifo1(s) = p,ps .
  eq (p = pair) = false .
  eq pair \in ps = false .
  eq bit2(s) = fst(p) .
  eq (p = < bit1(s),pac(next(s)) >) = false .
-- successor state
  eq s' = send1(s) .
-- check
  red (pair-lemma1(p,< bit1(s),pac(next(s)) >) and inv3(s)) 
      implies istep7 .
close
--> fifo1(s) = p,ps, ~(p = pair), ~(pair \in ps), 
--> ~(bit2(s) = fst(p)), pair = < bit1(s),pac(next(s)) >
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  eq fifo1(s) = p,ps .
  eq (p = pair) = false .                                  
  eq pair \in ps = false .
  eq (bit2(s) = fst(p)) = false .
  eq pair = < bit1(s),pac(next(s)) > .
-- successor state
  eq s' = send1(s) .
-- check
  red istep7 .
close
--> fifo1(s) = p,ps, ~(p = pair), ~(pair \in ps), 
--> ~(bit2(s) = fst(p)), ~(pair = < bit1(s),pac(next(s)) >), 
--> pair \in put(ps,< bit1(s) , pac(next(s)) >)
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  eq fifo1(s) = p,ps .
  eq (p = pair) = false .                                  
  eq pair \in ps = false .
  eq (bit2(s) = fst(p)) = false .
  eq (pair = < bit1(s),pac(next(s)) >) = false .
  eq pair \in put(ps,< bit1(s) , pac(next(s)) >) = true .
-- successor state
  eq s' = send1(s) .
-- check
  red queue-lemma5(ps,pair,< bit1(s) , pac(next(s)) >) 
      implies istep7 .
close
--> fifo1(s) = p,ps, ~(p = pair), ~(pair \in ps), 
--> ~(bit2(s) = fst(p)), ~(pair = < bit1(s),pac(next(s)) >), 
--> ~(pair \in put(ps,< bit1(s) , pac(next(s)) >))
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  eq fifo1(s) = p,ps .
  eq (p = pair) = false .                                  
  eq pair \in ps = false .
  eq (bit2(s) = fst(p)) = false .
  eq (pair = < bit1(s),pac(next(s)) >) = false .
  eq pair \in put(ps,< bit1(s) , pac(next(s)) >) = false .
-- successor state
  eq s' = send1(s) .
-- check
  red istep7 .
close

--> 2) rec1(s)
--> c-rec1(s), bit1(s) = b
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq bit1(s) = b .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep7 .
close
--> c-rec1(s), ~(bit1(s) = b), 
--> pair = < b , pac(s(next(s))) >
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq (bit1(s) = b) = false .
  eq pair = < b , pac(s(next(s))) > .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep7 .
close
--> c-rec1(s), ~(bit1(s) = b), 
--> ~(pair = < b , pac(s(next(s))) >), ~(pair \in fifo1(s))
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq (bit1(s) = b) = false .
  eq (pair = < b , pac(s(next(s))) >) = false .
  eq pair \in fifo1(s) = false .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep7 .
close
--> c-rec1(s), ~(bit1(s) = b), 
--> ~(pair = < b , pac(s(next(s))) >), pair \in fifo1(s), 
--> ~(bit2(s) = fst(pair))
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq (bit1(s) = b) = false .
  eq (pair = < b , pac(s(next(s))) >) = false .
  eq pair \in fifo1(s) = true .
  eq (bit2(s) = fst(pair)) = false .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep7 .
close
--> c-rec1(s), ~(bit1(s) = b), 
--> ~(pair = < b , pac(s(next(s))) >), pair \in fifo1(s), 
--> bit2(s) = fst(pair), ~(bit1(s) = fst(pair))
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq (bit1(s) = b) = false .
  eq (pair = < b , pac(s(next(s))) >) = false .
  eq pair \in fifo1(s) = true .
  eq bit2(s) = fst(pair) .
  eq (bit1(s) = fst(pair)) = false .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep7 .
close
--> c-rec1(s), ~(bit1(s) = b), 
--> ~(pair = < b , pac(s(next(s))) >), pair \in fifo1(s), 
--> bit2(s) = fst(pair), bit1(s) = fst(pair)
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq fifo2(s) = b,bs .
--
  eq (bit1(s) = b) = false .
  eq (pair = < b , pac(s(next(s))) >) = false .
  eq pair \in fifo1(s) = true .
  eq bit2(s) = fst(pair) .
  eq fst(pair) = bit1(s) .
-- successor state
  eq s' = rec1(s) .
-- check
  red inv2(s) implies istep7 .
close
--> ~c-rec1(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-rec1(s) = false .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep7 .
close

--> 3) send2(s)
open ISTEP
-- arbitrary values
-- assumptions
-- successor state
  eq s' = send2(s) .
-- check
  red istep7 .
close

--> 4) rec2(s)
--> c-rec2(s), ps = empty
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = empty .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep7 .
close
--> c-rec2(s), ps = p1,ps1, p = p1, 
--> bit2(s) = fst(p1), pair = p1
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
-- 
  eq ps = p1,ps1 .
  eq p = p1 .
  eq bit2(s) = fst(p1) .
  eq pair = p1 .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep7 .
close
--> c-rec2(s), ps = p1,ps1, p = p1, 
--> bit2(s) = fst(p1), ~(pair = p1)
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
-- 
  eq ps = p1,ps1 .
  eq p = p1 .
  eq bit2(s) = fst(p1) .
  eq (pair = p1) = false .
-- successor state
  eq s' = rec2(s) .
-- check
  red inv6(s,pair) implies istep7 .
close
--> c-rec2(s), ps = p1,ps1, p = p1, 
--> ~(bit2(s) = fst(p1)), pair = p1
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
-- 
  eq ps = p1,ps1 .
  eq p = p1 .
  eq (bit2(s) = fst(p1)) = false .
  eq pair = p1 .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep7 .
close
--> c-rec2(s), ps = p1,ps1, p = p1, 
--> ~(bit2(s) = fst(p1)), ~(pair = p1)
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
-- 
  eq ps = p1,ps1 .
  eq p = p1 .
  eq (bit2(s) = fst(p1)) = false .
  eq (pair = p1) = false .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep7 .
close
--> c-rec2(s), ps = p1,ps1, ~(p = p1), 
--> bit2(s) = fst(p1), pair = p1
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
-- 
  eq ps = p1,ps1 .
  eq (p = p1) = false .
  eq bit2(s) = fst(p1) .
  eq pair = p1 .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep7 .
close
--> c-rec2(s), ps = p1,ps1, ~(p = p1), 
--> bit2(s) = fst(p1), ~(pair = p1), pair \in ps1
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
-- 
  eq ps = p1,ps1 .
  eq (p = p1) = false .
  eq bit2(s) = fst(p1) .
  eq (pair = p1) = false .
  eq pair \in ps1 = true .
-- successor state
  eq s' = rec2(s) .
-- check
  red inv9(s,p,p1,pair,empty,ps1) implies istep7 .
close
--> c-rec2(s), ps = p1,ps1, ~(p = p1), 
--> bit2(s) = fst(p1), ~(pair = p1), ~(pair \in ps1)
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
-- 
  eq ps = p1,ps1 .
  eq (p = p1) = false .
  eq bit2(s) = fst(p1) .
  eq (pair = p1) = false .
  eq pair \in ps1 = false .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep7 .
close
--> c-rec2(s), ps = p1,ps1, ~(p = p1), 
--> ~(bit2(s) = fst(p1)), pair = p1, p1 = < bit1(s) , pac(next(s)) >
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
-- 
  eq ps = p1,ps1 .
  eq (p = p1) = false .
  eq (bit2(s) = fst(p1)) = false .
  eq pair = p1 .
  eq p1 = < bit1(s) , pac(next(s)) > .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep7 .
close
--> c-rec2(s), ps = p1,ps1, ~(p = p1), 
--> ~(bit2(s) = fst(p1)), pair = p1, ~(p1 = < bit1(s) , pac(next(s)) >)
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = p1,ps1 .
  eq (p = p1) = false .
  eq (bit2(s) = fst(p1)) = false .
  eq pair = p1 .
  eq (p1 = < bit1(s) , pac(next(s)) >) = false .
-- successor state
  eq s' = rec2(s) .
-- check
  red inv9(s,p,p1,pair,empty,ps1) implies istep7 .
close
--> c-rec2(s), ps = p1,ps1, ~(p = p1), 
--> ~(bit2(s) = fst(p1)), ~(pair = p1), ~(fst(p) = bit2(s))
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = p1,ps1 .
  eq (p = p1) = false .
  eq (bit2(s) = fst(p1)) = false .
  eq (pair = p1) = false .
  eq (fst(p) = bit2(s)) = false .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep7 .
close
--> c-rec2(s), ps = p1,ps1, ~(p = p1), 
--> ~(bit2(s) = fst(p1)), ~(pair = p1), fst(p) = bit2(s), 
--> pair = < bit1(s),pac(next(s)) >
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = p1,ps1 .
  eq (p = p1) = false .
  eq (bit2(s) = fst(p1)) = false .
  eq (pair = p1) = false .
  eq fst(p) = bit2(s) .
  eq pair = < bit1(s),pac(next(s)) > .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep7 .
close
--> c-rec2(s), ps = p1,ps1, ~(p = p1), 
--> ~(bit2(s) = fst(p1)), ~(pair = p1), fst(p) = bit2(s), 
--> ~(pair = < bit1(s),pac(next(s)) >)
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-rec2(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = p1,ps1 .
  eq (p = p1) = false .
  eq (bit2(s) = fst(p1)) = false .
  eq (pair = p1) = false .
  eq fst(p) = bit2(s) .
  eq (pair = < bit1(s),pac(next(s)) >) = false .
-- successor state
  eq s' = rec2(s) .
-- check
  red inv9(s,p,p1,pair,empty,ps1) implies istep7 .
close
--> ~c-rec2(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-rec2(s) = false .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep7 .
close

--> 5) drop1(s)
--> c-drop1(s), ps = empty
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-drop1(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = empty .
-- successor state
  eq s' = drop1(s) .
-- check
  red istep7 .
close
--> c-drop1(s), ps = p1,ps1, p = p1, pair = p1
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-drop1(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = p1,ps1 .
  eq p = p1 .
  eq pair = p1 .
-- successor state
  eq s' = drop1(s) .
-- check
  red istep7 .
close
--> c-drop1(s), ps = p1,ps1, p = p1, ~(pair = p1)
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-drop1(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = p1,ps1 .
  eq p = p1 .
  eq (pair = p1) = false .
-- successor state
  eq s' = drop1(s) .
-- check
  red istep7 .
close
--> c-drop1(s), ps = p1,ps1, ~(p = p1), pair = p1
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-drop1(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = p1,ps1 .
  eq (p = p1) = false .
  eq pair = p1 .
-- successor state
  eq s' = drop1(s) .
-- check
  red istep7 .
close
--> c-drop1(s), ps = p1,ps1, ~(p = p1), 
--> ~(pair = p1), pair = p
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-drop1(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = p1,ps1 .
  eq (p = p1) = false .
  eq (pair = p1) = false .
  eq pair = p .
-- successor state
  eq s' = drop1(s) .
-- check
  red istep7 .
close
--> c-drop1(s), ps = p1,ps1, ~(p = p1), 
--> ~(pair = p1), ~(pair = p)
open ISTEP
-- arbitrary values
  ops p p1 : -> BPPair .
  ops ps ps1 : -> PFifo .
-- assumptions
  -- eq c-drop1(s) = true .
  eq fifo1(s) = p,ps .
--
  eq ps = p1,ps1 .
  eq (p = p1) = false .
  eq (pair = p1) = false .
  eq (pair = p) = false .
-- successor state
  eq s' = drop1(s) .
-- check
  red istep7 .
close
--> ~c-drop1(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-drop1(s) = false .
-- successor state
  eq s' = drop1(s) .
-- check
  red istep7 .
close

--> 6) dup1(s)
--> c-dup1(s), pair = p
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-dup1(s) = true .
  eq fifo1(s) = p,ps .
--
  eq pair = p .
-- successor state
  eq s' = dup1(s) .
-- check
  red istep7 .
close
--> c-dup1(s), ~(pair = p)
open ISTEP
-- arbitrary values
  op p : -> BPPair .
  op ps : -> PFifo .
-- assumptions
  -- eq c-dup1(s) = true .
  eq fifo1(s) = p,ps .
--
  eq (pair = p) = false .
-- successor state
  eq s' = dup1(s) .
-- check
  red istep7 .
close
--> ~c-dup1(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-dup1(s) = false .
-- successor state
  eq s' = dup1(s) .
-- check
  red istep7 .
close

--> 7) drop2(s)
--> c-drop2(s)
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-drop2(s) = true .
  eq fifo2(s) = b,bs .
-- successor state
  eq s' = drop2(s) .
-- check
  red istep7 .
close
--> ~c-drop2(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-drop2(s) = false .
-- successor state
  eq s' = drop2(s) .
-- check
  red istep7 .
close

--> 8) dup2(s)
--> c-dup2(s)
open ISTEP
-- arbitrary values
  op b : -> Bool .
  op bs : -> BFifo .
-- assumptions
  -- eq c-dup2(s) = true .
  eq fifo2(s) = b,bs .
-- successor state
  eq s' = dup2(s) .
-- check
  red istep7 .
close
--> ~c-dup2(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-dup2(s) = false .
-- successor state
  eq s' = dup2(s) .
-- check
  red istep7 .
close

--> QED