-- I) Base case

open INV
  red inv130(init,tag) .
close

-- II) Inductive ceses

--> 1) send1(s)
open ISTEP
-- arbitrary objects
-- assumptions
-- successor state
  eq s' = send1(s) .
-- check if the predicate is true.
  red istep130(tag) .
close

--> 2) rec1(s)
-- 2.1) c-rec1(s)
open ISTEP
-- arbitrary objects
  op tag10 : -> Tagvalue .
-- assumptions
  -- eq c-rec1(s) = true .
  eq empty?(fifo2(s)) = false .
--
  eq fifo2(s) = tag10 | empty .
-- successor state
  eq s' = rec1(s) .
-- check if the predicate is true.
  red istep130(tag) .
close
--
open ISTEP
-- arbitrary objects
  ops tag10 tag20 : -> Tagvalue .
  op bfifo10 : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq empty?(fifo2(s)) = false .
--
  eq fifo2(s) = tag10 | tag20 | bfifo10 .
  eq tag20 = tag .
-- successor state
  eq s' = rec1(s) .
-- check if the predicate is true.
  red istep130(tag) .
close
--
open ISTEP
-- arbitrary objects
  ops tag10 tag20 : -> Tagvalue .
  op bfifo10 : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq empty?(fifo2(s)) = false .
--
  eq fifo2(s) = tag10 | tag20 | bfifo10 .
  eq (tag20 = tag) = false .
  eq tag \in bfifo10 = false .
-- successor state
  eq s' = rec1(s) .
-- check if the predicate is true.
  red istep130(tag) .
close
--
open ISTEP
-- arbitrary objects
  ops tag10 tag20 : -> Tagvalue .
  op bfifo10 : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq empty?(fifo2(s)) = false .
--
  eq fifo2(s) = tag10 | tag20 | bfifo10 .
  eq (tag20 = tag) = false .
  eq tag \in bfifo10 = true .
  eq tag10 = tag .
-- successor state
  eq s' = rec1(s) .
-- check if the predicate is true.
  red inv170(s,tag10,tag20,tag,bfifo10) implies istep130(tag) .
close
--
open ISTEP
-- arbitrary objects
  ops tag10 tag20 : -> Tagvalue .
  op bfifo10 : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq empty?(fifo2(s)) = false .
--
  eq fifo2(s) = tag10 | tag20 | bfifo10 .
  eq (tag20 = tag) = false .
  eq tag \in bfifo10 = true .
  eq (tag10 = tag) = false .
  eq tag1(s) = tag10 .
-- facts
  -- if tag = up, then tag10 = down and tag20 = down.
  -- if tag = down, then tag10 = up and tag20 = up.
  eq (tag10 = tag20) = true .  
-- successor state
  eq s' = rec1(s) .
-- check if the predicate is true.
  red istep130(tag) .
close
--
open ISTEP
-- arbitrary objects
  ops tag10 tag20 : -> Tagvalue .
  op bfifo10 : -> BFifo .
-- assumptions
  -- eq c-rec1(s) = true .
  eq empty?(fifo2(s)) = false .
--
  eq fifo2(s) = tag10 | tag20 | bfifo10 .
  eq (tag20 = tag) = false .
  eq tag \in bfifo10 = true .
  eq (tag10 = tag) = false .
  eq (tag1(s) = tag10) = false .
-- successor state
  eq s' = rec1(s) .
-- check if the predicate is true.
  red istep130(tag) .
close
--
-- 2.2) not c-rec1(s)
open ISTEP
-- arbitrary objects
-- assumptions
  eq c-rec1(s) = false .
-- successor state
  eq s' = rec1(s) .
-- check if the predicate is true.
  red istep130(tag) .
close

--> 3) send2(s)
open ISTEP
-- arbitrary objects
-- assumptions
  eq fifo2(s) = empty .
  eq tag2(s) = tag .
-- successor state
  eq s' = send2(s) .
-- check if the predicate is true.
  red istep130(tag) .
close
--
open ISTEP
-- arbitrary objects
-- assumptions
  eq fifo2(s) = empty .
  eq (tag2(s) = tag) = false .
-- successor state
  eq s' = send2(s) .
-- check if the predicate is true.
  red istep130(tag) .
close
--
open ISTEP
-- arbitrary objects
  op tag10 : -> Tagvalue .
  op bfifo10 : -> BFifo .
-- assumptions
  eq fifo2(s) = tag10 | bfifo10 .
  eq tag10 = tag .
-- successor state
  eq s' = send2(s) .
-- check if the predicate is true.
  red istep130(tag) .
close
--
open ISTEP
-- arbitrary objects
  op tag10 : -> Tagvalue .
  op bfifo10 : -> BFifo .
-- assumptions
  eq fifo2(s) = tag10 | bfifo10 .
  eq (tag10 = tag) = false .
  eq tag \in bfifo10 = true .
-- successor state
  eq s' = send2(s) .
-- check if the predicate is true.
  red istep130(tag) .
close
--
open ISTEP
-- arbitrary objects
  op tag10 : -> Tagvalue .
  op bfifo10 : -> BFifo .
-- assumptions
  eq fifo2(s) = tag10 | bfifo10 .
  eq (tag10 = tag) = false .
  eq tag \in bfifo10 = false .
  eq tag2(s) = tag .
-- successor state
  eq s' = send2(s) .
-- check if the predicate is true.
  red inv110(s) implies istep130(tag) .
close
--
open ISTEP
-- arbitrary objects
  op tag10 : -> Tagvalue .
  op bfifo10 : -> BFifo .
-- assumptions
  eq fifo2(s) = tag10 | bfifo10 .
  eq (tag10 = tag) = false .
  eq tag \in bfifo10 = false .
  eq (tag2(s) = tag) = false .
-- successor state
  eq s' = send2(s) .
-- check if the predicate is true.
  red istep130(tag) .
close

--> 4) rec2(s)
-- 4.1) c-rec2(s)
open ISTEP
-- arbitrary objects
-- assumptions
  -- eq c-rec2(s) = true .
  eq empty?(fifo1(s)) = false .
-- successor state
  eq s' = rec2(s) .
-- check if the predicate is true.
  red istep130(tag) .
close
--
-- 4.2) c-rec2(s)
open ISTEP
-- arbitrary objects
-- assumptions
  eq c-rec2(s) = false .
-- successor state
  eq s' = rec2(s) .
-- check if the predicate is true.
  red istep130(tag) .
close

--> 5) drop1(s)
-- 5.1) c-drop1(s)
open ISTEP
-- arbitrary objects
-- assumptions
  -- eq c-drop1(s) = true .
  eq empty?(fifo1(s)) = false .
-- successor state
  eq s' = drop1(s) .
-- check if the predicate is true.
  red istep130(tag) .
close
--
-- 5.2) not c-drop1(s)
open ISTEP
-- arbitrary objects
-- assumptions
  eq c-drop1(s) = false .
-- successor state
  eq s' = drop1(s) .
-- check if the predicate is true.
  red istep130(tag) .
close

--> 6) dup1(s)
-- 6.1) c-dup1(s)
open ISTEP
-- arbitrary objects
-- assumptions
  -- eq c-dup1(s) = true .
  eq empty?(fifo1(s)) = false .
-- successor state
  eq s' = dup1(s) .
-- check if the predicate is true.
  red istep130(tag) .
close
--
-- 6.2) not c-dup1(s)
open ISTEP
-- arbitrary objects
-- assumptions
  eq c-dup1(s) = false .
-- successor state
  eq s' = dup1(s) .
-- check if the predicate is true.
  red istep130(tag) .
close

--> 7) drop2(s)
-- 7.1) c-drop2(s)
open ISTEP
-- arbitrary objects
  op tag10 : -> Tagvalue .
-- assumptions
  -- eq c-drop2(s) = true .
  eq empty?(fifo2(s)) = false .
--
  eq fifo2(s) = tag10 | empty .
-- successor state
  eq s' = drop2(s) .
-- check if the predicate is true.
  red istep130(tag) .
close
--
open ISTEP
-- arbitrary objects
  ops tag10 tag20 : -> Tagvalue .
  op bfifo10 : -> BFifo .
-- assumptions
  -- eq c-drop2(s) = true .
  eq empty?(fifo2(s)) = false .
--
  eq fifo2(s) = tag10 | tag20 | bfifo10 .
  eq (tag20 = tag) = true .
-- successor state
  eq s' = drop2(s) .
-- check if the predicate is true.
  red istep130(tag) .
close
--
open ISTEP
-- arbitrary objects
  ops tag10 tag20 : -> Tagvalue .
  op bfifo10 : -> BFifo .
-- assumptions
  -- eq c-drop2(s) = true .
  eq empty?(fifo2(s)) = false .
--
  eq fifo2(s) = tag10 | tag20 | bfifo10 .
  eq (tag20 = tag) = false .
  eq tag \in bfifo10 = false .
-- successor state
  eq s' = drop2(s) .
-- check if the predicate is true.
  red istep130(tag) .
close
--
open ISTEP
-- arbitrary objects
  ops tag10 tag20 : -> Tagvalue .
  op bfifo10 : -> BFifo .
-- assumptions
  -- eq c-drop2(s) = true .
  eq empty?(fifo2(s)) = false .
--
  eq fifo2(s) = tag10 | tag20 | bfifo10 .
  eq (tag20 = tag) = false .
  eq tag \in bfifo10 = true .
  eq tag10 = tag .
-- successor state
  eq s' = drop2(s) .
-- check if the predicate is true.
  red inv170(s,tag10,tag20,tag,bfifo10) implies istep130(tag) .
close
--
open ISTEP
-- arbitrary objects
  ops tag10 tag20 : -> Tagvalue .
  op bfifo10 : -> BFifo .
-- assumptions
  -- eq c-drop2(s) = true .
  eq empty?(fifo2(s)) = false .
--
  eq fifo2(s) = tag10 | tag20 | bfifo10 .
  eq (tag20 = tag) = false .
  eq tag \in bfifo10 = true .
  eq (tag10 = tag) = false .
  eq tag1(s) = tag10 .
-- facts
  -- if tag = up, then tag10 = down and tag20 = down.
  -- if tag = down, then tag10 = up and tag20 = up.
  eq (tag10 = tag20) = true .  
-- successor state
  eq s' = drop2(s) .
-- check if the predicate is true.
  red istep130(tag) .
close
--
open ISTEP
-- arbitrary objects
  ops tag10 tag20 : -> Tagvalue .
  op bfifo10 : -> BFifo .
-- assumptions
  -- eq c-drop2(s) = true .
  eq empty?(fifo2(s)) = false .
--
  eq fifo2(s) = tag10 | tag20 | bfifo10 .
  eq (tag20 = tag) = false .
  eq tag \in bfifo10 = true .
  eq (tag10 = tag) = false .
  eq (tag1(s) = tag10) = false .
-- successor state
  eq s' = drop2(s) .
-- check if the predicate is true.
  red istep130(tag) .
close
--
-- 7.2) not c-drop2(s)
open ISTEP
-- arbitrary objects
-- assumptions
  eq c-drop2(s) = false .
-- successor state
  eq s' = drop2(s) .
-- check if the predicate is true.
  red istep130(tag) .
close

--> 8) dup2(s)
-- 8.1) c-dup2(s)
open ISTEP
-- arbitrary objects
  op tag10 : -> Tagvalue .
  op bfifo10 : -> BFifo .
-- assumptions
  -- eq c-dup2(s) = true .
  -- eq empty?(fifo2(s)) = false .
  eq fifo2(s) = tag10 | bfifo10 .
--
  eq tag = tag10 .
-- successor state
  eq s' = dup2(s) .
-- check if the predicate is true.
  red istep130(tag) .
close
--
open ISTEP
-- arbitrary objects
  op tag10 : -> Tagvalue .
  op bfifo10 : -> BFifo .
-- assumptions
  -- eq c-dup2(s) = true .
  -- eq empty?(fifo2(s)) = false .
  eq fifo2(s) = tag10 | bfifo10 .
--
  eq (tag = tag10) = false .
-- successor state
  eq s' = dup2(s) .
-- check if the predicate is true.
  red istep130(tag) .
close
--
-- 8.2) not c-dup2(s)
open ISTEP
-- arbitrary objects
-- assumptions
  eq c-dup2(s) = false .
-- successor state
  eq s' = dup2(s) .
-- check if the predicate is true.
  red istep130(tag) .
close

--> Q.E.D.