--> I) Base case open INV red inv1(init) . close --> II) Inductive cese --> 1) send1(s) open ISTEP -- arbitrary objects -- assumptions -- successor state eq s' = send1(s) . -- check red istep1 . close --> 2) rec1(s) --> c-rec1(s) open ISTEP -- arbitrary objects -- assumptions eq c-rec1(s) = true . -- successor state eq s' = rec1(s) . -- check red istep1 . close --> ~c-rec1(s) open ISTEP -- arbitrary objects -- assumptions eq c-rec1(s) = false . -- successor state eq s' = rec1(s) . -- check red istep1 . close --> 3) send2(s) open ISTEP -- arbitrary objects -- assumptions -- successor state eq s' = send2(s) . -- check red istep1 . close --> 4) rec2(s) --> c-rec2(s) open ISTEP -- arbitrary objects -- assumptions eq c-rec2(s) = true . -- successor state eq s' = rec2(s) . -- check red istep1 . close --> ~c-rec2(s) open ISTEP -- arbitrary objects -- assumptions eq c-rec2(s) = false . -- successor state eq s' = rec2(s) . -- check red istep1 . close --> 5) drop1(s) --> c-drop1(s) open ISTEP -- arbitrary objects -- assumptions eq c-drop1(s) = true . -- successor state eq s' = drop1(s) . -- check red istep1 . close --> ~c-drop1(s) open ISTEP -- arbitrary objects -- assumptions eq c-drop1(s) = false . -- successor state eq s' = drop1(s) . -- check red istep1 . close --> 6) dup1(s) --> c-dup1(s) open ISTEP -- arbitrary objects -- assumptions eq c-dup1(s) = true . -- successor state eq s' = dup1(s) . -- check red istep1 . close --> ~c-dup1(s) open ISTEP -- arbitrary objects -- assumptions eq c-dup1(s) = false . -- successor state eq s' = dup1(s) . -- check red istep1 . close --> 7) drop2(s) --> c-drop2(s) open ISTEP -- arbitrary objects -- assumptions eq c-drop2(s) = true . -- successor state eq s' = drop2(s) . -- check red istep1 . close --> ~c-drop2(s) open ISTEP -- arbitrary objects -- assumptions eq c-drop2(s) = false . -- successor state eq s' = drop2(s) . -- check red istep1 . close --> 8) dup2(s) --> c-dup2(s) open ISTEP -- arbitrary objects -- assumptions eq c-dup2(s) = true . -- successor state eq s' = dup2(s) . -- check red istep1 . close --> ~c-dup2(s) open ISTEP -- arbitrary objects -- assumptions eq c-dup2(s) = false . -- successor state eq s' = dup2(s) . -- check red istep1 . close --> Q.E.D.