mod! EQBOOL {
  op _=_ : Bool Bool -> Bool {comm}
  vars B B1 B2 : Bool
  eq (B = B) = true .
  eq (true = false) = false .
-- Lemmas
  op eqbool-lemma1 : Bool -> Bool .
  eq eqbool-lemma1(B) = not((not B) = B) .
  op eqbool-lemma2 : Bool Bool -> Bool .
  eq eqbool-lemma2(B1,B2) = (B1 = B2) or ((not B1) = B2) .
}

mod! PNAT {
  [Nat]
  op 0 : -> Nat 
  op s : Nat -> Nat 
  op _=_ : Nat Nat -> Bool {comm}
  vars X Y : Nat 
  eq (X = X) = true .
  eq (0 = 0) = true .
  eq (0 = s(X)) = false .
  eq (s(X) = s(Y)) = (X = Y) .
}

mod! PACKET {
  pr(PNAT)
  [Packet]
  op pac : Nat -> Packet
  op _=_ : Packet Packet -> Bool {comm}
  var P : Packet
  vars X Y : Nat
  eq (P = P) = true .
  eq (pac(X) = pac(Y)) = (X = Y) .
}

mod* EQTRIV {
  [Elt]
  op _=_ : Elt Elt -> Bool {comm}
}

mod! PAIR(M :: EQTRIV,N :: EQTRIV) {
  [Pair]
  op <_,_> : Elt.M Elt.N -> Pair
  op fst : Pair -> Elt.M
  op snd : Pair -> Elt.N
  op _=_ : Pair Pair -> Bool {comm}
  var P : Pair
  vars X1 X2 : Elt.M
  vars Y1 Y2 : Elt.N
  eq fst(< X1,Y1 >) = X1 .
  eq snd(< X1,Y1 >) = Y1 .
  eq (P = P) = true .
  eq (< X1,Y1 > = < X2,Y2 >) = (X1 = X2) and (Y1 = Y2) .
}

mod! CELL(M :: EQTRIV) {
  [Cell]
  op empty : -> Cell
  op c : Elt.M -> Cell
  op get : Cell -> Elt.M
  op _=_ : Cell Cell -> Bool {comm}
  var C : Cell
  vars X Y : Elt.M
  eq get(c(X)) = X .
  eq (C = C) = true .
  eq (empty = empty) = true .
  eq (empty = c(X)) = false .
  eq (c(X) = c(Y)) = (X = Y) .
}

mod! LIST(M :: EQTRIV) {
  [List]
  op nil : -> List
  op __ : Elt.M List -> List
  op hd : List -> Elt.M
  op tl : List -> List 
  op _=_ : List List -> Bool {comm}
  vars L L1 L2 : List
  vars X Y : Elt.M
  eq hd(X L) = X .
  eq tl(X L) = L .
  eq (L = L) = true .
  eq (nil = nil) = true .
  eq (nil = X L) = false .
  eq (X L1 = Y L2) = (X = Y and L1 = L2) .
}

view EQTRIV2PACKET from EQTRIV to PACKET {
  sort Elt -> Packet,
  op _=_ -> _=_
}

mod! PACKET-LIST {
  pr(LIST(M <= EQTRIV2PACKET))
  op mk : Nat -> List 
  var X : Nat
  eq mk(0) = pac(0) nil .
  eq mk(s(X)) = pac(s(X)) mk(X) .
}

view EQTRIV2EQBOOL from EQTRIV to EQBOOL {
  sort Elt -> Bool,
  op _=_ -> _=_
}

mod! BOOL-PACKET-PAIR {
  pr(PAIR(M <= EQTRIV2EQBOOL,N <= EQTRIV2PACKET)*{sort Pair -> BPPair})
}

view EQTRIV2BOOL-PACKET-PAIR from EQTRIV to BOOL-PACKET-PAIR {
  sort Elt -> BPPair,
  op _=_ -> _=_
}

mod! BOOL-CELL {
  pr(CELL(M <= EQTRIV2EQBOOL)*{sort Cell -> BCell})
}

mod! BOOL-PACKET-PAIR-CELL {
  pr(CELL(M <= EQTRIV2BOOL-PACKET-PAIR)*{sort Cell -> PCell})
}

mod* SCP {
  pr(BOOL-CELL)
  pr(BOOL-PACKET-PAIR-CELL)
  pr(PACKET-LIST)
  *[Sys]*
-- any initial state
  op init : -> Sys
-- observations
  bop cell1 : Sys -> PCell
  bop cell2 : Sys -> BCell
  bop bit1 : Sys -> Bool
  bop bit2 : Sys -> Bool
  bop next : Sys -> Nat
  bop list : Sys -> List
-- actions
  bop send1  : Sys -> Sys
  bop rec1   : Sys -> Sys
  bop send2  : Sys -> Sys
  bop rec2   : Sys -> Sys
  bop drop1 : Sys -> Sys
  bop drop2 : Sys -> Sys
-- CafeOBJ  
  var S : Sys
-- init
  eq cell1(init) = empty .
  eq cell2(init) = empty .
  eq bit1(init) = false .
  eq bit2(init) = false .
  eq next(init)  = 0 .
  eq list(init)  = nil .
-- send1
  eq cell1(send1(S)) = c(< bit1(S),pac(next(S)) >) .
  eq cell2(send1(S)) = cell2(S) .
  eq bit1(send1(S)) = bit1(S) .
  eq bit2(send1(S)) = bit2(S) .
  eq next(send1(S))  = next(S) .
  eq list(send1(S))  = list(S) .
-- rec1
  op c-rec1 : Sys -> Bool
  eq c-rec1(S) = not(cell2(S) = empty) .
  --
  eq  cell1(rec1(S)) = cell1(S) .
  ceq cell2(rec1(S)) = empty if c-rec1(S) .
  ceq bit1(rec1(S)) 
      = (if bit1(S) = get(cell2(S)) then bit1(S) else (not bit1(S)) fi) 
      if c-rec1(S) .
  eq  bit2(rec1(S)) = bit2(S) .
  ceq next(rec1(S))  
      = (if bit1(S) = get(cell2(S)) then next(S) else s(next(S)) fi) 
      if c-rec1(S) .
  eq  list(rec1(S))  = list(S) .
  ceq rec1(S)        = S if not c-rec1(S) .
-- send2
  eq cell1(send2(S)) = cell1(S) .
  eq cell2(send2(S)) = c(bit2(S)) .
  eq bit1(send2(S)) = bit1(S) .
  eq bit2(send2(S)) = bit2(S) .
  eq next(send2(S))  = next(S) .
  eq list(send2(S))  = list(S) .
-- rec2
  op c-rec2 : Sys -> Bool
  eq c-rec2(S) = not(cell1(S) = empty) .
  --
  ceq cell1(rec2(S)) = empty if c-rec2(S) .
  eq  cell2(rec2(S)) = cell2(S) .
  eq  bit1(rec2(S)) = bit1(S) .
  ceq bit2(rec2(S)) 
      = (if bit2(S) = fst(get(cell1(S))) 
         then (not bit2(S)) else bit2(S) fi) 
      if c-rec2(S) .
  eq  next(rec2(S))  = next(S) .
  ceq list(rec2(S))  
      = (if bit2(S) = fst(get(cell1(S))) 
         then (snd(get(cell1(S))) list(S)) else list(S) fi) 
      if c-rec2(S) .
  ceq rec2(S)        = S if not c-rec2(S) .
-- drop1
  op c-drop1 : Sys -> Bool
  eq c-drop1(S) = not(cell1(S) = empty) .
  --
  ceq cell1(drop1(S)) = empty if c-drop1(S) .
  eq  cell2(drop1(S)) = cell2(S) .
  eq  bit1(drop1(S)) = bit1(S) .
  eq  bit2(drop1(S)) = bit2(S) .
  eq  next(drop1(S))  = next(S) .
  eq  list(drop1(S))  = list(S) .
  ceq drop1(S)        = S if not c-drop1(S) .
-- drop2
  op c-drop2 : Sys -> Bool
  eq c-drop2(S) = not(cell2(S) = empty) .
  --
  eq  cell1(drop2(S)) = cell1(S) .
  ceq cell2(drop2(S)) = empty if c-drop2(S) .
  eq  bit1(drop2(S)) = bit1(S) .
  eq  bit2(drop2(S)) = bit2(S) .
  eq  next(drop2(S))  = next(S) .
  eq  list(drop2(S))  = list(S) .
  ceq drop2(S)        = S if not c-drop2(S) .
}