--> I) Base case
open INV
  red inv5(init) .
close

--> II) Induction case
--> 1) send1(s)
--> bit2(s) = bit1(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq bit2(s) = bit1(s) .
-- successor state
  eq s' = send1(s) .
-- check
  red inv2(s) implies istep5 .
close
--> ~(bit2(s) = bit1(s))
open ISTEP
-- arbitrary values
-- assumptions
  eq (bit2(s) = bit1(s)) = false .
-- successor state
  eq s' = send1(s) .
-- check
  red istep5 .
close

--> 2) rec1(s)
--> c-rec1(s)
open ISTEP
-- arbitrary values
  op b : -> Bool .
-- assumptions
  -- eq c-rec1(s) = true .
  eq cell2(s) = c(b) .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep5 .
close
--> ~c-rec1(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-rec1(s) = false .
-- successor state
  eq s' = rec1(s) .
-- check
  red istep5 .
close

--> 3) send2(s)
--> bit1(s) = bit2(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq bit1(s) = bit2(s) .
-- successor state
  eq s' = send2(s) .
-- check
  red istep5 .
close
--> ~(bit1(s) = bit2(s)), bit1(s) = get(cell2(s)), 
--> bit2(s) = fst(get(cell1(s))) 
open ISTEP
-- arbitrary values
-- assumptions
  -- eq (bit1(s) = bit2(s)) = false .
  eq (get(cell2(s)) = fst(get(cell1(s)))) = false .
  eq bit1(s) = get(cell2(s)) .
  eq bit2(s) = fst(get(cell1(s))) .
-- successor state
  eq s' = send2(s) .
-- check
  red inv4(s) implies istep5 .
close
--> ~(bit1(s) = bit2(s)), ~(bit1(s) = get(cell2(s))), 
--> bit2(s) = fst(get(cell1(s))) 
open ISTEP
-- arbitrary values
-- assumptions
  -- eq (bit1(s) = bit2(s)) = false .
  eq (bit1(s) = fst(get(cell1(s)))) = false .
  eq (bit1(s) = get(cell2(s))) = false .
  eq bit2(s) = fst(get(cell1(s))) .
-- successor state
  eq s' = send2(s) .
-- check
  red inv4(s) implies istep5 .
close
--> ~(bit1(s) = bit2(s)), bit1(s) = get(cell2(s)), 
--> ~(bit2(s) = fst(get(cell1(s))))
open ISTEP
-- arbitrary values
-- assumptions
  -- eq (bit1(s) = bit2(s)) = false .
  eq (get(cell2(s)) = bit2(s)) = false .
  eq bit1(s) = get(cell2(s)) .
  eq (bit2(s) = fst(get(cell1(s)))) = false .
-- successor state
  eq s' = send2(s) .
-- check
  red istep5 .
close
--> ~(bit1(s) = bit2(s)), ~(bit1(s) = get(cell2(s))), 
--> ~(bit2(s) = fst(get(cell1(s))))
open ISTEP
-- arbitrary values
-- assumptions
  eq (bit1(s) = bit2(s)) = false .
  eq (bit1(s) = get(cell2(s))) = false .
  eq (bit2(s) = fst(get(cell1(s)))) = false .
-- successor state
  eq s' = send2(s) .
-- check
  red istep5 .
close

--> 4) rec2(s)
--> c-rec2(s)
open ISTEP
-- arbitrary values
  op p : -> BPPair .
-- assumptions
  -- eq c-rec2(s) = true .
  eq cell1(s) = c(p) .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep5 .
close
--> ~c-rec2(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-rec2(s) = false .
-- successor state
  eq s' = rec2(s) .
-- check
  red istep5 .
close

--> 5) drop1(s)
--> c-drop1(s)
open ISTEP
-- arbitrary values
  op p : -> BPPair .
-- assumptions
  -- eq c-drop1(s) = true .
  eq cell1(s) = c(p) .
-- successor state
  eq s' = drop1(s) .
-- check
  red istep5 .
close
--> ~c-drop1(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-drop1(s) = false .
-- successor state
  eq s' = drop1(s) .
-- check
  red istep5 .
close

--> 6) drop2(s)
--> c-drop2(s)
open ISTEP
-- arbitrary values
  op b : -> Bool .
-- assumptions
  -- eq c-drop2(s) = true .
  eq cell2(s) = c(b) .
-- successor state
  eq s' = drop2(s) .
-- check
  red istep5 .
close
--> ~c-drop2(s)
open ISTEP
-- arbitrary values
-- assumptions
  eq c-drop2(s) = false .
-- successor state
  eq s' = drop2(s) .
-- check
  red istep5 .
close

--> Q.E.D.