diff --git a/CreuSAT/src/formula.rs b/CreuSAT/src/formula.rs
index e6365512..7d7a372c 100644
--- a/CreuSAT/src/formula.rs
+++ b/CreuSAT/src/formula.rs
@@ -191,7 +191,7 @@ impl Formula {
     #[cfg_attr(feature = "trust_formula", trusted)]
     #[requires(self.invariant())]
     #[requires(a.invariant(*self))]
-    #[ensures(result == self.sat(*a))]
+    #[ensures(result == a.real_model().satisfies(self.real_model()))]
     pub fn is_sat(&self, a: &Assignments) -> bool {
         let mut i: usize = 0;
         #[invariant(prev, forall<k: Int> 0 <= k && k < @i ==> (@self.clauses)[k].sat(*a))]
diff --git a/CreuSAT/src/logic/logic.rs b/CreuSAT/src/logic/logic.rs
index 8cc03af9..896df042 100644
--- a/CreuSAT/src/logic/logic.rs
+++ b/CreuSAT/src/logic/logic.rs
@@ -1,4 +1,3 @@
-extern crate creusot_contracts;
 use creusot_contracts::std::*;
 use creusot_contracts::*;
 
@@ -6,6 +5,60 @@ use crate::{assignments::*, clause::*, formula::*, lit::*, trail::*};
 
 use crate::logic::{logic_assignments::*, logic_clause::*, logic_formula::*, logic_trail::*};
 
+#[cfg(feature = "contracts")]
+mod inner {
+    use creusot_contracts::{*, Model};
+    use crate::lit::Lit;
+    use crate::formula::Formula;
+    use crate::assignments::Assignments;
+    pub struct M(Mapping<Int, bool>);
+
+    impl M {
+        #[predicate]
+        fn satisfies_clause(self, cl: Seq<Lit>) -> bool {
+            pearlite! {
+                exists<i : Int> 0 <= i && i < cl.len() && self.0.get(@cl[i].idx) == cl[i].polarity
+            }
+        }
+
+        #[predicate]
+        pub fn satisfies(self, fml: Seq<Seq<Lit>>) -> bool {
+            pearlite! {
+                forall<c : _> 0 <= c && c < fml.len() ==> self.satisfies_clause(fml[c])
+            }
+        }
+    }
+
+    impl Formula {
+        #[predicate]
+        pub fn unsat(self) -> bool {
+            pearlite! { forall<m : M> m.satisfies(self.real_model()) ==> false }
+        }
+
+        #[predicate]
+        pub fn sat(self) -> bool {
+            pearlite! { exists<m : M> m.satisfies(self.real_model()) }
+        }
+
+        #[predicate]
+        pub fn equisat(self, f: Self) -> bool {
+            pearlite! {
+                forall<m : M> m.satisfies(self.real_model()) ==> m.satisfies(f.real_model()) && m.satisfies(f.real_model()) ==> m.satisfies(self.real_model())
+            }
+        }
+    }
+
+    impl Assignments {
+        #[logic]
+        pub fn real_model(self) -> M {
+            M(Mapping::cst(false))
+        }
+    }
+}
+
+#[cfg(feature = "contracts")]
+pub use inner::*;
+
 #[logic]
 fn pos() -> AssignedState {
     1u8
diff --git a/CreuSAT/src/logic/logic_formula.rs b/CreuSAT/src/logic/logic_formula.rs
index 713da92a..3c54ab41 100644
--- a/CreuSAT/src/logic/logic_formula.rs
+++ b/CreuSAT/src/logic/logic_formula.rs
@@ -17,6 +17,13 @@ impl Model for Formula {
     }
 }
 
+impl Formula {
+    #[logic]
+    pub fn real_model(self) -> Seq<Seq<Lit>> {
+        Seq::EMPTY
+    }
+}
+
 #[predicate]
 pub fn formula_invariant(f: (Seq<Clause>, Int)) -> bool {
     pearlite! {
@@ -75,10 +82,10 @@ impl Formula {
             exists<a2 : Seq<AssignedState>> a2.len() == @self.num_vars && complete_inner(a2) && self.sat_inner(a2)
         }
     }
-    #[predicate]
-    pub fn equisat(self, o: Formula) -> bool {
-        self.eventually_sat_complete_no_ass() == o.eventually_sat_complete_no_ass()
-    }
+    // #[predicate]
+    // pub fn equisat(self, o: Formula) -> bool {
+    //     self.eventually_sat_complete_no_ass() == o.eventually_sat_complete_no_ass()
+    // }
 
     #[predicate]
     pub fn compatible(self, o: Formula) -> bool {
@@ -146,10 +153,10 @@ impl Formula {
         }
     }
 
-    #[predicate]
-    pub fn sat(self, a: Assignments) -> bool {
-        pearlite! { formula_sat_inner(@self, @a) }
-    }
+    // #[predicate]
+    // pub fn sat(self, a: Assignments) -> bool {
+    //     pearlite! { formula_sat_inner(@self, @a) }
+    // }
 
     #[predicate]
     fn unsat_inner(self, a: Seq<AssignedState>) -> bool {
@@ -159,10 +166,10 @@ impl Formula {
         }
     }
 
-    #[predicate]
-    pub fn unsat(self, a: Assignments) -> bool {
-        pearlite! { self.unsat_inner(@a) }
-    }
+    // #[predicate]
+    // pub fn unsat(self, a: Assignments) -> bool {
+    //     pearlite! { self.unsat_inner(@a) }
+    // }
 
     #[predicate]
     pub fn not_satisfiable(self) -> bool {
diff --git a/CreuSAT/src/solver.rs b/CreuSAT/src/solver.rs
index 73a52afd..f789d3eb 100644
--- a/CreuSAT/src/solver.rs
+++ b/CreuSAT/src/solver.rs
@@ -268,7 +268,8 @@ impl Solver {
     #[ensures(@f.num_vars == @(^f).num_vars)]
     #[ensures(f.equisat(^f))]
     #[ensures(match result {
-        SatResult::Sat(_)   => { (^f).sat((^trail).assignments)
+        SatResult::Sat(_)   => {
+            (^trail).assignments.real_model().satisfies((^f).real_model())
                             &&   ((^trail).assignments).complete() }, // Do I really need this for anything?
         SatResult::Unsat    => { (^f).not_satisfiable() },
         SatResult::Unknown  => { true }
diff --git a/CreuSAT/src/unit_prop.rs b/CreuSAT/src/unit_prop.rs
index 5ad09bdf..90f02cf7 100644
--- a/CreuSAT/src/unit_prop.rs
+++ b/CreuSAT/src/unit_prop.rs
@@ -159,7 +159,9 @@ fn exists_new_watchable_lit(
 #[ensures(match result {
     Ok(true) => true,
     Ok(false) => (@(^trail).trail).len() == (@trail.trail).len(),
-    Err(n) => @n < (@(^f).clauses).len() && (^f).unsat((^trail).assignments) && (@(^f).clauses)[@n].unsat((^trail).assignments),
+    Err(n) => @n < (@(^f).clauses).len() &&
+        // (^f).unsat((^trail).assignments) &&
+        (@(^f).clauses)[@n].unsat((^trail).assignments),
 })]
 #[ensures(@f.num_vars == @(^f).num_vars)]
 #[ensures(f.equisat(^f))]
@@ -234,7 +236,9 @@ fn propagate_lit_with_regard_to_clause(
 #[requires(lit.index_logic() < @f.num_vars)]
 #[ensures(match result {
     Ok(()) => true,// !(^f).unsat(^a),
-    Err(n) => @n < (@(^f).clauses).len() && (^f).unsat((^trail).assignments) && (@(^f).clauses)[@n].unsat((^trail).assignments),
+    Err(n) => @n < (@(^f).clauses).len() &&
+        // (^f).unsat((^trail).assignments) &&
+        (@(^f).clauses)[@n].unsat((^trail).assignments),
 })]
 #[ensures(@f.num_vars == @(^f).num_vars)]
 #[ensures(f.equisat(^f))]
@@ -283,7 +287,9 @@ fn propagate_literal(f: &mut Formula, trail: &mut Trail, watches: &mut Watches,
 #[requires(@f.num_vars < @usize::MAX/2)]
 #[ensures(match result {
     Ok(()) => true, // !(^f).unsat(^a),
-    Err(n) => @n < (@(^f).clauses).len() && (^f).unsat((^trail).assignments) && (@(^f).clauses)[@n].unsat((^trail).assignments),
+    Err(n) => @n < (@(^f).clauses).len() &&
+    // (^f).unsat((^trail).assignments) &&
+    (@(^f).clauses)[@n].unsat((^trail).assignments),
 })]
 #[ensures(@f.num_vars == @(^f).num_vars)]
 #[ensures(f.equisat(^f))]
diff --git a/mlcfgs/CreuSAT.mlcfg b/mlcfgs/CreuSAT.mlcfg
index 00a25ade..a65690f3 100644
--- a/mlcfgs/CreuSAT.mlcfg
+++ b/mlcfgs/CreuSAT.mlcfg
@@ -13,15 +13,16 @@ module Type
   use floating_point.Single
   use floating_point.Double
   use seq.Seq
+  use set.Set
   use prelude.Prelude
   type creusat_lit_lit  =
     | CreuSat_Lit_Lit usize bool
     
-  let function creusat_lit_lit_Lit_idx (self : creusat_lit_lit) : usize =
+  let function creusat_lit_lit_Lit_idx (self : creusat_lit_lit) : usize = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Lit_Lit a _ -> a
       end
-  let function creusat_lit_lit_Lit_polarity (self : creusat_lit_lit) : bool =
+  let function creusat_lit_lit_Lit_polarity (self : creusat_lit_lit) : bool = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Lit_Lit _ a -> a
       end
@@ -48,15 +49,17 @@ module Type
     
   let function creusat_clause_clause_Clause_lits (self : creusat_clause_clause) : alloc_vec_vec (creusat_lit_lit) (alloc_alloc_global)
     
-   =
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Clause_Clause _ _ _ a -> a
       end
-  let function creusat_clause_clause_Clause_deleted (self : creusat_clause_clause) : bool =
+  let function creusat_clause_clause_Clause_deleted (self : creusat_clause_clause) : bool
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Clause_Clause a _ _ _ -> a
       end
-  let function creusat_clause_clause_Clause_search (self : creusat_clause_clause) : usize =
+  let function creusat_clause_clause_Clause_search (self : creusat_clause_clause) : usize
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Clause_Clause _ _ a _ -> a
       end
@@ -65,44 +68,51 @@ module Type
     
   let function creusat_formula_formula_Formula_clauses (self : creusat_formula_formula) : alloc_vec_vec (creusat_clause_clause) (alloc_alloc_global)
     
-   =
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Formula_Formula a _ -> a
       end
-  let function creusat_formula_formula_Formula_num_vars (self : creusat_formula_formula) : usize =
+  let function creusat_formula_formula_Formula_num_vars (self : creusat_formula_formula) : usize
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Formula_Formula _ a -> a
       end
   type creusat_solver_solver  =
     | CreuSat_Solver_Solver usize usize usize usize usize usize usize (alloc_vec_vec usize (alloc_alloc_global))
     
-  let function creusat_solver_solver_Solver_num_conflicts (self : creusat_solver_solver) : usize =
+  let function creusat_solver_solver_Solver_num_conflicts (self : creusat_solver_solver) : usize
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Solver_Solver _ _ a _ _ _ _ _ -> a
       end
-  let function creusat_solver_solver_Solver_num_lemmas (self : creusat_solver_solver) : usize =
+  let function creusat_solver_solver_Solver_num_lemmas (self : creusat_solver_solver) : usize
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Solver_Solver a _ _ _ _ _ _ _ -> a
       end
   let function creusat_solver_solver_Solver_perm_diff (self : creusat_solver_solver) : alloc_vec_vec usize (alloc_alloc_global)
     
-   =
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Solver_Solver _ _ _ _ _ _ _ a -> a
       end
-  let function creusat_solver_solver_Solver_max_lemmas (self : creusat_solver_solver) : usize =
+  let function creusat_solver_solver_Solver_max_lemmas (self : creusat_solver_solver) : usize
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Solver_Solver _ a _ _ _ _ _ _ -> a
       end
-  let function creusat_solver_solver_Solver_initial_len (self : creusat_solver_solver) : usize =
+  let function creusat_solver_solver_Solver_initial_len (self : creusat_solver_solver) : usize
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Solver_Solver _ _ _ a _ _ _ _ -> a
       end
-  let function creusat_solver_solver_Solver_fast (self : creusat_solver_solver) : usize =
+  let function creusat_solver_solver_Solver_fast (self : creusat_solver_solver) : usize
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Solver_Solver _ _ _ _ _ a _ _ -> a
       end
-  let function creusat_solver_solver_Solver_slow (self : creusat_solver_solver) : usize =
+  let function creusat_solver_solver_Solver_slow (self : creusat_solver_solver) : usize
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Solver_Solver _ _ _ _ _ _ a _ -> a
       end
@@ -111,7 +121,7 @@ module Type
     
   let function creusat_assignments_assignments_Assignments_0 (self : creusat_assignments_assignments) : alloc_vec_vec uint8 (alloc_alloc_global)
     
-   =
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Assignments_Assignments a -> a
       end
@@ -120,13 +130,13 @@ module Type
     | CreuSat_Trail_Reason_Unit usize
     | CreuSat_Trail_Reason_Long usize
     
-  let function creusat_trail_reason_Long_0 (self : creusat_trail_reason) : usize =
+  let function creusat_trail_reason_Long_0 (self : creusat_trail_reason) : usize = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Trail_Reason_Decision -> any usize
       | CreuSat_Trail_Reason_Unit _ -> any usize
       | CreuSat_Trail_Reason_Long a -> a
       end
-  let function creusat_trail_reason_Unit_0 (self : creusat_trail_reason) : usize =
+  let function creusat_trail_reason_Unit_0 (self : creusat_trail_reason) : usize = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Trail_Reason_Decision -> any usize
       | CreuSat_Trail_Reason_Unit a -> a
@@ -135,11 +145,13 @@ module Type
   type creusat_trail_step  =
     | CreuSat_Trail_Step (creusat_lit_lit) usize (creusat_trail_reason)
     
-  let function creusat_trail_step_Step_lit (self : creusat_trail_step) : creusat_lit_lit =
+  let function creusat_trail_step_Step_lit (self : creusat_trail_step) : creusat_lit_lit
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Trail_Step a _ _ -> a
       end
-  let function creusat_trail_step_Step_reason (self : creusat_trail_step) : creusat_trail_reason =
+  let function creusat_trail_step_Step_reason (self : creusat_trail_step) : creusat_trail_reason
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Trail_Step _ _ a -> a
       end
@@ -147,7 +159,7 @@ module Type
     | Core_Option_Option_None
     | Core_Option_Option_Some 't
     
-  let function core_option_option_Some_0 (self : core_option_option 't) : 't =
+  let function core_option_option_Some_0 (self : core_option_option 't) : 't = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | Core_Option_Option_None -> any 't
       | Core_Option_Option_Some a -> a
@@ -157,42 +169,43 @@ module Type
     
   let function creusat_trail_trail_Trail_lit_to_level (self : creusat_trail_trail) : alloc_vec_vec usize (alloc_alloc_global)
     
-   =
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Trail_Trail _ a _ _ _ -> a
       end
-  let function creusat_trail_trail_Trail_assignments (self : creusat_trail_trail) : creusat_assignments_assignments =
+  let function creusat_trail_trail_Trail_assignments (self : creusat_trail_trail) : creusat_assignments_assignments
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Trail_Trail a _ _ _ _ -> a
       end
   let function creusat_trail_trail_Trail_trail (self : creusat_trail_trail) : alloc_vec_vec (creusat_trail_step) (alloc_alloc_global)
     
-   =
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Trail_Trail _ _ a _ _ -> a
       end
   let function creusat_trail_trail_Trail_decisions (self : creusat_trail_trail) : alloc_vec_vec usize (alloc_alloc_global)
     
-   =
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Trail_Trail _ _ _ _ a -> a
       end
-  let function creusat_trail_trail_Trail_curr_i (self : creusat_trail_trail) : usize =
+  let function creusat_trail_trail_Trail_curr_i (self : creusat_trail_trail) : usize = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Trail_Trail _ _ _ a _ -> a
       end
   type creusat_decision_node  =
     | CreuSat_Decision_Node usize usize usize
     
-  let function creusat_decision_node_Node_next (self : creusat_decision_node) : usize =
+  let function creusat_decision_node_Node_next (self : creusat_decision_node) : usize = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Decision_Node a _ _ -> a
       end
-  let function creusat_decision_node_Node_prev (self : creusat_decision_node) : usize =
+  let function creusat_decision_node_Node_prev (self : creusat_decision_node) : usize = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Decision_Node _ a _ -> a
       end
-  let function creusat_decision_node_Node_ts (self : creusat_decision_node) : usize =
+  let function creusat_decision_node_Node_ts (self : creusat_decision_node) : usize = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Decision_Node _ _ a -> a
       end
@@ -201,19 +214,22 @@ module Type
     
   let function creusat_decision_decisions_Decisions_linked_list (self : creusat_decision_decisions) : alloc_vec_vec (creusat_decision_node) (alloc_alloc_global)
     
-   =
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Decision_Decisions a _ _ _ -> a
       end
-  let function creusat_decision_decisions_Decisions_search (self : creusat_decision_decisions) : usize =
+  let function creusat_decision_decisions_Decisions_search (self : creusat_decision_decisions) : usize
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Decision_Decisions _ _ _ a -> a
       end
-  let function creusat_decision_decisions_Decisions_start (self : creusat_decision_decisions) : usize =
+  let function creusat_decision_decisions_Decisions_start (self : creusat_decision_decisions) : usize
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Decision_Decisions _ _ a _ -> a
       end
-  let function creusat_decision_decisions_Decisions_timestamp (self : creusat_decision_decisions) : usize =
+  let function creusat_decision_decisions_Decisions_timestamp (self : creusat_decision_decisions) : usize
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Decision_Decisions _ a _ _ -> a
       end
@@ -225,14 +241,15 @@ module Type
     
   let function creusat_conflictanalysis_conflict_Restart_0 (self : creusat_conflictanalysis_conflict) : creusat_clause_clause
     
-   =
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_ConflictAnalysis_Conflict_Ground -> any creusat_clause_clause
       | CreuSat_ConflictAnalysis_Conflict_Unit _ -> any creusat_clause_clause
       | CreuSat_ConflictAnalysis_Conflict_Learned _ _ -> any creusat_clause_clause
       | CreuSat_ConflictAnalysis_Conflict_Restart a -> a
       end
-  let function creusat_conflictanalysis_conflict_Learned_0 (self : creusat_conflictanalysis_conflict) : usize =
+  let function creusat_conflictanalysis_conflict_Learned_0 (self : creusat_conflictanalysis_conflict) : usize
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_ConflictAnalysis_Conflict_Ground -> any usize
       | CreuSat_ConflictAnalysis_Conflict_Unit _ -> any usize
@@ -241,7 +258,7 @@ module Type
       end
   let function creusat_conflictanalysis_conflict_Learned_1 (self : creusat_conflictanalysis_conflict) : creusat_clause_clause
     
-   =
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_ConflictAnalysis_Conflict_Ground -> any creusat_clause_clause
       | CreuSat_ConflictAnalysis_Conflict_Unit _ -> any creusat_clause_clause
@@ -250,7 +267,7 @@ module Type
       end
   let function creusat_conflictanalysis_conflict_Unit_0 (self : creusat_conflictanalysis_conflict) : creusat_clause_clause
     
-   =
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_ConflictAnalysis_Conflict_Ground -> any creusat_clause_clause
       | CreuSat_ConflictAnalysis_Conflict_Unit a -> a
@@ -266,11 +283,13 @@ module Type
   type creusat_watches_watcher  =
     | CreuSat_Watches_Watcher usize (creusat_lit_lit)
     
-  let function creusat_watches_watcher_Watcher_cref (self : creusat_watches_watcher) : usize =
+  let function creusat_watches_watcher_Watcher_cref (self : creusat_watches_watcher) : usize
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Watches_Watcher a _ -> a
       end
-  let function creusat_watches_watcher_Watcher_blocker (self : creusat_watches_watcher) : creusat_lit_lit =
+  let function creusat_watches_watcher_Watcher_blocker (self : creusat_watches_watcher) : creusat_lit_lit
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Watches_Watcher _ a -> a
       end
@@ -279,20 +298,28 @@ module Type
     
   let function creusat_watches_watches_Watches_watches (self : creusat_watches_watches) : alloc_vec_vec (alloc_vec_vec (creusat_watches_watcher) (alloc_alloc_global)) (alloc_alloc_global)
     
-   =
+   = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | CreuSat_Watches_Watches a -> a
       end
+  type creusat_logic_logic_inner_m  =
+    | CreuSat_Logic_Logic_Inner_M (Map.map int bool)
+    
+  let function creusat_logic_logic_inner_m_M_0 (self : creusat_logic_logic_inner_m) : Map.map int bool
+   = [@vc:do_not_keep_trace] [@vc:sp]
+    match (self) with
+      | CreuSat_Logic_Logic_Inner_M a -> a
+      end
   type core_result_result 't 'e =
     | Core_Result_Result_Ok 't
     | Core_Result_Result_Err 'e
     
-  let function core_result_result_Err_0 (self : core_result_result 't 'e) : 'e =
+  let function core_result_result_Err_0 (self : core_result_result 't 'e) : 'e = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | Core_Result_Result_Ok _ -> any 'e
       | Core_Result_Result_Err a -> a
       end
-  let function core_result_result_Ok_0 (self : core_result_result 't 'e) : 't =
+  let function core_result_result_Ok_0 (self : core_result_result 't 'e) : 't = [@vc:do_not_keep_trace] [@vc:sp]
     match (self) with
       | Core_Result_Result_Ok a -> a
       | Core_Result_Result_Err _ -> any 't
@@ -311,32 +338,6 @@ module CreuSat_Lit_Impl1_New_Interface
   use Type
   val new [@cfg:stackify] (idx : usize) (polarity : bool) : Type.creusat_lit_lit
 end
-module CreuSat_Lit_Impl1_New
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.UInt64
-  use Type
-  let rec cfg new [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 113 4 113 49] (idx : usize) (polarity : bool) : Type.creusat_lit_lit
-    
-   =
-  var _0 : Type.creusat_lit_lit;
-  var idx_1 : usize;
-  var polarity_2 : bool;
-  var _3 : usize;
-  var _4 : bool;
-  {
-    idx_1 <- idx;
-    polarity_2 <- polarity;
-    goto BB0
-  }
-  BB0 {
-    _3 <- idx_1;
-    _4 <- polarity_2;
-    _0 <- Type.CreuSat_Lit_Lit _3 _4;
-    return _0
-  }
-  
-end
 module CreusotContracts_Std1_Vec_Impl0_Model_Interface
   type t
   type a
@@ -370,19 +371,6 @@ module Alloc_Vec_Impl1_Len_Interface
   val len [@cfg:stackify] (self : Type.alloc_vec_vec t a) : usize
     ensures { UInt64.to_int result = Seq.length (Model0.model self) }
     
-end
-module Alloc_Vec_Impl1_Len
-  type t
-  type a
-  use mach.int.UInt64
-  use seq.Seq
-  use prelude.Prelude
-  use Type
-  use mach.int.Int
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = t, type a = a, axiom .
-  val len [@cfg:stackify] (self : Type.alloc_vec_vec t a) : usize
-    ensures { UInt64.to_int result = Seq.length (Model0.model self) }
-    
 end
 module Alloc_Vec_FromElem_Interface
   type t
@@ -396,22 +384,7 @@ module Alloc_Vec_FromElem_Interface
   axiom .
   val from_elem [@cfg:stackify] (elem : t) (n : usize) : Type.alloc_vec_vec t (Type.alloc_alloc_global)
     ensures { Seq.length (Model0.model result) = UInt64.to_int n }
-    ensures { forall i : (int) . 0 <= i && i < UInt64.to_int n -> Seq.get (Model0.model result) i = elem }
-    
-end
-module Alloc_Vec_FromElem
-  type t
-  use seq.Seq
-  use mach.int.UInt64
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = t, type a = Type.alloc_alloc_global,
-  axiom .
-  val from_elem [@cfg:stackify] (elem : t) (n : usize) : Type.alloc_vec_vec t (Type.alloc_alloc_global)
-    ensures { Seq.length (Model0.model result) = UInt64.to_int n }
-    ensures { forall i : (int) . 0 <= i && i < UInt64.to_int n -> Seq.get (Model0.model result) i = elem }
+    ensures { forall i : (int) . 0 <= i /\ i < UInt64.to_int n -> Seq.get (Model0.model result) i = elem }
     
 end
 module CreusotContracts_Std1_Vec_Impl0
@@ -429,14 +402,14 @@ module CreuSat_Solver_Impl0_New
   use mach.int.Int
   use mach.int.UInt64
   clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone Alloc_Vec_FromElem_Interface as FromElem0 with type t = usize, function Model0.model = Model1.model
   clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
+  clone Alloc_Vec_FromElem_Interface as FromElem0 with type t = usize, function Model0.model = Model1.model
   clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, function Model0.model = Model0.model
-  let rec cfg new [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 76 4 76 37] (f : Type.creusat_formula_formula) : Type.creusat_solver_solver
+  let rec cfg new [@cfg:stackify] [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 76 4 76 37] (f : Type.creusat_formula_formula) : Type.creusat_solver_solver
     
-   =
+   = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : Type.creusat_solver_solver;
   var f_1 : Type.creusat_formula_formula;
   var _2 : usize;
@@ -449,12 +422,12 @@ module CreuSat_Solver_Impl0_New
   }
   BB0 {
     _3 <- Type.creusat_formula_formula_Formula_clauses f_1;
-    _2 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 81 25 81 40] Len0.len _3);
+    _2 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 81 25 81 40] Len0.len _3);
     goto BB1
   }
   BB1 {
     _5 <- Type.creusat_formula_formula_Formula_num_vars f_1;
-    _4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 85 23 85 52] FromElem0.from_elem (0 : usize) _5);
+    _4 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 85 23 85 52] FromElem0.from_elem (0 : usize) _5);
     goto BB2
   }
   BB2 {
@@ -491,9 +464,9 @@ module CreuSat_Solver_Impl0_IncreaseNumConflicts
   use mach.int.Int
   use mach.int.UInt64
   clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_solver_solver
-  let rec cfg increase_num_conflicts [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 91 4 91 40] (self : borrowed (Type.creusat_solver_solver)) : ()
+  let rec cfg increase_num_conflicts [@cfg:stackify] [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 91 4 91 40] (self : borrowed (Type.creusat_solver_solver)) : ()
     
-   =
+   = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var self_1 : borrowed (Type.creusat_solver_solver);
   var _2 : bool;
@@ -504,14 +477,14 @@ module CreuSat_Solver_Impl0_IncreaseNumConflicts
   }
   BB0 {
     _3 <- Type.creusat_solver_solver_Solver_num_conflicts ( * self_1);
-    _2 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 92 11 92 42] _3 < (18446744073709551615 : usize));
+    _2 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 92 11 92 42] _3 < (18446744073709551615 : usize));
     switch (_2)
       | False -> goto BB2
       | _ -> goto BB1
       end
   }
   BB1 {
-    self_1 <- { self_1 with current = (let Type.CreuSat_Solver_Solver a b c d e f g h =  * self_1 in Type.CreuSat_Solver_Solver a b ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 93 12 93 35] Type.creusat_solver_solver_Solver_num_conflicts ( * self_1) + (1 : usize)) d e f g h) };
+    self_1 <- { self_1 with current = (let Type.CreuSat_Solver_Solver a b c d e f g h =  * self_1 in Type.CreuSat_Solver_Solver a b ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 93 12 93 35] Type.creusat_solver_solver_Solver_num_conflicts ( * self_1) + (1 : usize)) d e f g h) };
     assume { Resolve0.resolve self_1 };
     _0 <- ();
     goto BB3
@@ -537,9 +510,9 @@ module CreuSat_Solver_Impl0_IncreaseNumLemmas
   use mach.int.Int
   use mach.int.UInt64
   clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_solver_solver
-  let rec cfg increase_num_lemmas [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 99 4 99 37] (self : borrowed (Type.creusat_solver_solver)) : ()
+  let rec cfg increase_num_lemmas [@cfg:stackify] [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 99 4 99 37] (self : borrowed (Type.creusat_solver_solver)) : ()
     
-   =
+   = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var self_1 : borrowed (Type.creusat_solver_solver);
   var _2 : bool;
@@ -550,14 +523,14 @@ module CreuSat_Solver_Impl0_IncreaseNumLemmas
   }
   BB0 {
     _3 <- Type.creusat_solver_solver_Solver_num_lemmas ( * self_1);
-    _2 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 100 11 100 39] _3 < (18446744073709551615 : usize));
+    _2 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 100 11 100 39] _3 < (18446744073709551615 : usize));
     switch (_2)
       | False -> goto BB2
       | _ -> goto BB1
       end
   }
   BB1 {
-    self_1 <- { self_1 with current = (let Type.CreuSat_Solver_Solver a b c d e f g h =  * self_1 in Type.CreuSat_Solver_Solver ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 101 12 101 32] Type.creusat_solver_solver_Solver_num_lemmas ( * self_1) + (1 : usize)) b c d e f g h) };
+    self_1 <- { self_1 with current = (let Type.CreuSat_Solver_Solver a b c d e f g h =  * self_1 in Type.CreuSat_Solver_Solver ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 101 12 101 32] Type.creusat_solver_solver_Solver_num_lemmas ( * self_1) + (1 : usize)) b c d e f g h) };
     assume { Resolve0.resolve self_1 };
     _0 <- ();
     goto BB3
@@ -578,188 +551,12 @@ module CreuSat_Util_UpdateFast_Interface
   use mach.int.UInt64
   val update_fast [@cfg:stackify] (fast : borrowed usize) (lbd : usize) : ()
 end
-module CreuSat_Util_UpdateFast
-  use prelude.Prelude
-  use mach.int.Int
-  use mach.int.UInt64
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = usize
-  let rec cfg update_fast [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 40 0 40 48] (fast : borrowed usize) (lbd : usize) : ()
-    
-   =
-  var _0 : ();
-  var fast_1 : borrowed usize;
-  var lbd_2 : usize;
-  var _3 : usize;
-  var _4 : usize;
-  var _5 : bool;
-  var lbd_shl_fifteen_6 : usize;
-  var _7 : bool;
-  var _8 : usize;
-  var _9 : usize;
-  var _10 : bool;
-  var _11 : usize;
-  var _12 : bool;
-  var _13 : usize;
-  var _14 : usize;
-  var _15 : usize;
-  var _16 : usize;
-  {
-    fast_1 <- fast;
-    lbd_2 <- lbd;
-    goto BB0
-  }
-  BB0 {
-    _4 <-  * fast_1;
-    _5 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 41 13 41 23] (32 : usize) = (0 : usize));
-    assert { not _5 };
-    goto BB1
-  }
-  BB1 {
-    _3 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 41 13 41 23] _4 / (32 : usize));
-    fast_1 <- { fast_1 with current = ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 41 4 41 23]  * fast_1 - _3) };
-    _8 <- lbd_2;
-    _10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 42 35 42 53] (32768 : usize) = (0 : usize));
-    assert { not _10 };
-    goto BB2
-  }
-  BB2 {
-    _9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 42 35 42 53] (18446744073709551615 : usize) / (32768 : usize));
-    _7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 42 29 42 53] _8 < _9);
-    switch (_7)
-      | False -> goto BB4
-      | _ -> goto BB3
-      end
-  }
-  BB3 {
-    _11 <- lbd_2;
-    lbd_shl_fifteen_6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 42 56 42 67] _11 * (32768 : usize));
-    goto BB5
-  }
-  BB4 {
-    lbd_shl_fifteen_6 <- lbd_2;
-    goto BB5
-  }
-  BB5 {
-    _14 <-  * fast_1;
-    _13 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 43 7 43 25] (18446744073709551615 : usize) - _14);
-    _15 <- lbd_shl_fifteen_6;
-    _12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 43 7 43 43] _13 > _15);
-    switch (_12)
-      | False -> goto BB7
-      | _ -> goto BB6
-      end
-  }
-  BB6 {
-    _16 <- lbd_shl_fifteen_6;
-    fast_1 <- { fast_1 with current = ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 44 8 44 32]  * fast_1 + _16) };
-    assume { Resolve0.resolve fast_1 };
-    _0 <- ();
-    goto BB8
-  }
-  BB7 {
-    assume { Resolve0.resolve fast_1 };
-    _0 <- ();
-    goto BB8
-  }
-  BB8 {
-    return _0
-  }
-  
-end
 module CreuSat_Util_UpdateSlow_Interface
   use prelude.Prelude
   use mach.int.Int
   use mach.int.UInt64
   val update_slow [@cfg:stackify] (slow : borrowed usize) (lbd : usize) : ()
 end
-module CreuSat_Util_UpdateSlow
-  use prelude.Prelude
-  use mach.int.Int
-  use mach.int.UInt64
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = usize
-  let rec cfg update_slow [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 50 0 50 48] (slow : borrowed usize) (lbd : usize) : ()
-    
-   =
-  var _0 : ();
-  var slow_1 : borrowed usize;
-  var lbd_2 : usize;
-  var _3 : usize;
-  var _4 : usize;
-  var _5 : bool;
-  var lbd_shl_five_6 : usize;
-  var _7 : bool;
-  var _8 : usize;
-  var _9 : usize;
-  var _10 : bool;
-  var _11 : usize;
-  var _12 : bool;
-  var _13 : usize;
-  var _14 : usize;
-  var _15 : usize;
-  var _16 : usize;
-  {
-    slow_1 <- slow;
-    lbd_2 <- lbd;
-    goto BB0
-  }
-  BB0 {
-    _4 <-  * slow_1;
-    _5 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 51 13 51 26] (32768 : usize) = (0 : usize));
-    assert { not _5 };
-    goto BB1
-  }
-  BB1 {
-    _3 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 51 13 51 26] _4 / (32768 : usize));
-    slow_1 <- { slow_1 with current = ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 51 4 51 26]  * slow_1 - _3) };
-    _8 <- lbd_2;
-    _10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 52 32 52 47] (32 : usize) = (0 : usize));
-    assert { not _10 };
-    goto BB2
-  }
-  BB2 {
-    _9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 52 32 52 47] (18446744073709551615 : usize) / (32 : usize));
-    _7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 52 26 52 47] _8 < _9);
-    switch (_7)
-      | False -> goto BB4
-      | _ -> goto BB3
-      end
-  }
-  BB3 {
-    _11 <- lbd_2;
-    lbd_shl_five_6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 52 50 52 58] _11 * (32 : usize));
-    goto BB5
-  }
-  BB4 {
-    lbd_shl_five_6 <- lbd_2;
-    goto BB5
-  }
-  BB5 {
-    _14 <-  * slow_1;
-    _13 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 53 7 53 25] (18446744073709551615 : usize) - _14);
-    _15 <- lbd_shl_five_6;
-    _12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 53 7 53 40] _13 > _15);
-    switch (_12)
-      | False -> goto BB7
-      | _ -> goto BB6
-      end
-  }
-  BB6 {
-    _16 <- lbd_shl_five_6;
-    slow_1 <- { slow_1 with current = ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 54 8 54 29]  * slow_1 + _16) };
-    assume { Resolve0.resolve slow_1 };
-    _0 <- ();
-    goto BB8
-  }
-  BB7 {
-    assume { Resolve0.resolve slow_1 };
-    _0 <- ();
-    goto BB8
-  }
-  BB8 {
-    return _0
-  }
-  
-end
 module CreusotContracts_Logic_Model_Model_ModelTy
   type self
   type modelTy
@@ -816,10 +613,10 @@ module CreuSat_Logic_LogicAssignments_Impl0_Model
   use prelude.UInt8
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = uint8, type a = Type.alloc_alloc_global,
   axiom .
-  function model [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_assignments.rs" 19 4 19 35] (self : Type.creusat_assignments_assignments) : Seq.seq uint8
+  function model [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_assignments.rs" 19 4 19 35] (self : Type.creusat_assignments_assignments) : Seq.seq uint8
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_assignments.rs" 18 4 18 12] Model0.model (Type.creusat_assignments_assignments_Assignments_0 self)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_assignments.rs" 18 4 18 12] Model0.model (Type.creusat_assignments_assignments_Assignments_0 self)
 end
 module CreuSat_Logic_LogicAssignments_Impl0
   use mach.int.Int
@@ -827,8 +624,8 @@ module CreuSat_Logic_LogicAssignments_Impl0
   use prelude.UInt8
   use Type
   clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model0 with function Model0.model = Model2.model
   clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model0 with function Model0.model = Model2.model
   clone CreusotContracts_Logic_Model_Model_Model_Interface as Model1 with type self = Type.creusat_assignments_assignments,
   function model = Model0.model, type ModelTy0.modelTy = ModelTy0.modelTy
   clone CreusotContracts_Logic_Model_Model_ModelTy as ModelTy1 with type self = Type.creusat_assignments_assignments,
@@ -878,27 +675,8 @@ module Alloc_Vec_Impl16_Index_Interface
   use prelude.Prelude
   use Type
   use seq.Seq
-  clone Core_Slice_Index_SliceIndex_Output as Output0 with type self = i, type t = seq t
   clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = t
-  clone CreusotContracts_Std1_Slice_SliceIndexSpec_HasValue_Interface as HasValue0 with type self = i, type t = seq t,
-  type ModelTy0.modelTy = ModelTy0.modelTy, type Output0.output = Output0.output
-  clone CreusotContracts_Std1_Slice_SliceIndexSpec_InBounds_Interface as InBounds0 with type self = i, type t = seq t,
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = t, type a = a, axiom .
-  val index [@cfg:stackify] (self : Type.alloc_vec_vec t a) (index : i) : Output0.output
-    requires {InBounds0.in_bounds index (Model0.model self)}
-    ensures { HasValue0.has_value index (Model0.model self) result }
-    
-end
-module Alloc_Vec_Impl16_Index
-  type t
-  type i
-  type a
-  use prelude.Prelude
-  use Type
-  use seq.Seq
   clone Core_Slice_Index_SliceIndex_Output as Output0 with type self = i, type t = seq t
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = t
   clone CreusotContracts_Std1_Slice_SliceIndexSpec_HasValue_Interface as HasValue0 with type self = i, type t = seq t,
   type ModelTy0.modelTy = ModelTy0.modelTy, type Output0.output = Output0.output
   clone CreusotContracts_Std1_Slice_SliceIndexSpec_InBounds_Interface as InBounds0 with type self = i, type t = seq t,
@@ -973,59 +751,9 @@ module CreuSat_Assignments_Impl0_Index_Interface
   clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_assignments_assignments,
   type ModelTy0.modelTy = ModelTy0.modelTy
   val index [@cfg:stackify] (self : Type.creusat_assignments_assignments) (ix : usize) : uint8
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 21 4 21 36] UInt64.to_int ix < Seq.length (Model0.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 22 4 22 39] Seq.get (Model0.model self) (UInt64.to_int ix) = result }
-    
-end
-module CreuSat_Assignments_Impl0_Index
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use Type
-  use prelude.UInt8
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model1 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = uint8
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = uint8
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = uint8
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = uint8
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = uint8, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model2.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  let rec cfg index [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 23 4 23 48] (self : Type.creusat_assignments_assignments) (ix : usize) : uint8
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 21 4 21 36] UInt64.to_int ix < Seq.length (Model0.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 22 4 22 39] Seq.get (Model0.model self) (UInt64.to_int ix) = result }
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 21 4 21 36] UInt64.to_int ix < Seq.length (Model0.model self)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 22 4 22 39] Seq.get (Model0.model self) (UInt64.to_int ix) = result }
     
-   =
-  var _0 : uint8;
-  var self_1 : Type.creusat_assignments_assignments;
-  var ix_2 : usize;
-  var _3 : uint8;
-  var _4 : uint8;
-  var _5 : Type.alloc_vec_vec uint8 (Type.alloc_alloc_global);
-  var _6 : usize;
-  {
-    self_1 <- self;
-    ix_2 <- ix;
-    goto BB0
-  }
-  BB0 {
-    _5 <- Type.creusat_assignments_assignments_Assignments_0 self_1;
-    _6 <- ix_2;
-    _4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 29 9 29 19] Index0.index _5 _6);
-    goto BB1
-  }
-  BB1 {
-    _3 <- _4;
-    _0 <- _3;
-    return _0
-  }
-  
 end
 module CreusotContracts_Logic_Model_Impl1_Model_Interface
   type t
@@ -1064,32 +792,8 @@ module Alloc_Vec_Impl17_IndexMut_Interface
   use seq.Seq
   use prelude.Prelude
   use Type
-  clone Core_Slice_Index_SliceIndex_Output as Output0 with type self = i, type t = seq t
   clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = t
-  clone CreusotContracts_Std1_Slice_SliceIndexSpec_ResolveElswhere_Interface as ResolveElswhere0 with type self = i,
-  type t = seq t, type ModelTy0.modelTy = ModelTy0.modelTy
-  clone CreusotContracts_Std1_Slice_SliceIndexSpec_HasValue_Interface as HasValue0 with type self = i, type t = seq t,
-  type ModelTy0.modelTy = ModelTy0.modelTy, type Output0.output = Output0.output
-  clone CreusotContracts_Std1_Slice_SliceIndexSpec_InBounds_Interface as InBounds0 with type self = i, type t = seq t,
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = t, type a = a, axiom .
-  val index_mut [@cfg:stackify] (self : borrowed (Type.alloc_vec_vec t a)) (index : i) : borrowed Output0.output
-    requires {InBounds0.in_bounds index (Model0.model ( * self))}
-    ensures { HasValue0.has_value index (Model0.model ( * self)) ( * result) }
-    ensures { HasValue0.has_value index (Model0.model ( ^ self)) ( ^ result) }
-    ensures { ResolveElswhere0.resolve_elswhere index (Model0.model ( * self)) (Model0.model ( ^ self)) }
-    ensures { Seq.length (Model0.model ( ^ self)) = Seq.length (Model0.model ( * self)) }
-    
-end
-module Alloc_Vec_Impl17_IndexMut
-  type t
-  type i
-  type a
-  use seq.Seq
-  use prelude.Prelude
-  use Type
   clone Core_Slice_Index_SliceIndex_Output as Output0 with type self = i, type t = seq t
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = t
   clone CreusotContracts_Std1_Slice_SliceIndexSpec_ResolveElswhere_Interface as ResolveElswhere0 with type self = i,
   type t = seq t, type ModelTy0.modelTy = ModelTy0.modelTy
   clone CreusotContracts_Std1_Slice_SliceIndexSpec_HasValue_Interface as HasValue0 with type self = i, type t = seq t,
@@ -1126,7 +830,7 @@ module CreusotContracts_Std1_Slice_Impl3_ResolveElswhere
   use seq.Seq
   use mach.int.Int32
   predicate resolve_elswhere [@inline:trivial] (self : usize) (old' : Seq.seq t) (fin : Seq.seq t) =
-    forall i : (int) . 0 <= i && i <> UInt64.to_int self && i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    forall i : (int) . 0 <= i /\ i <> UInt64.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
 end
 module CreuSat_Assignments_Impl1_IndexMut_Interface
   use mach.int.UInt64
@@ -1136,132 +840,30 @@ module CreuSat_Assignments_Impl1_IndexMut_Interface
   use prelude.Prelude
   use Type
   use prelude.UInt8
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model1
   clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model1
   clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model0 with type t = Type.creusat_assignments_assignments,
   type ModelTy0.modelTy = ModelTy0.modelTy
   val index_mut [@cfg:stackify] (self : borrowed (Type.creusat_assignments_assignments)) (ix : usize) : borrowed uint8
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 35 4 35 36] UInt64.to_int ix < Seq.length (Model0.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 36 4 36 40] Seq.get (Model1.model ( * self)) (UInt64.to_int ix) =  * result }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 37 4 37 40] Seq.get (Model1.model ( ^ self)) (UInt64.to_int ix) =  ^ result }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 38 4 38 101] forall i : (int) . 0 <= i && i <> UInt64.to_int ix && i < Seq.length (Model0.model self) -> Seq.get (Model0.model self) i = Seq.get (Model1.model ( ^ self)) i }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 39 4 39 48] Seq.length (Model1.model ( ^ self)) = Seq.length (Model1.model ( * self)) }
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 35 4 35 36] UInt64.to_int ix < Seq.length (Model0.model self)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 36 4 36 40] Seq.get (Model1.model ( * self)) (UInt64.to_int ix) =  * result }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 37 4 37 40] Seq.get (Model1.model ( ^ self)) (UInt64.to_int ix) =  ^ result }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 38 4 38 101] forall i : (int) . 0 <= i /\ i <> UInt64.to_int ix /\ i < Seq.length (Model0.model self) -> Seq.get (Model0.model self) i = Seq.get (Model1.model ( ^ self)) i }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 39 4 39 48] Seq.length (Model1.model ( ^ self)) = Seq.length (Model1.model ( * self)) }
     
 end
-module CreuSat_Assignments_Impl1_IndexMut
+module CreuSat_Assignments_Impl2_Len_Interface
   use mach.int.UInt64
   use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
   use prelude.Prelude
   use Type
-  use prelude.UInt8
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model1 with function Model0.model = Model2.model
+  use mach.int.Int
   clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model0 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = uint8
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = uint8
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = uint8
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = uint8
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = uint8
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = uint8
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_assignments_assignments
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = uint8, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model2.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  let rec cfg index_mut [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 40 4 40 60] (self : borrowed (Type.creusat_assignments_assignments)) (ix : usize) : borrowed uint8
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 35 4 35 36] UInt64.to_int ix < Seq.length (Model0.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 36 4 36 40] Seq.get (Model1.model ( * self)) (UInt64.to_int ix) =  * result }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 37 4 37 40] Seq.get (Model1.model ( ^ self)) (UInt64.to_int ix) =  ^ result }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 38 4 38 101] forall i : (int) . 0 <= i && i <> UInt64.to_int ix && i < Seq.length (Model0.model self) -> Seq.get (Model0.model self) i = Seq.get (Model1.model ( ^ self)) i }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 39 4 39 48] Seq.length (Model1.model ( ^ self)) = Seq.length (Model1.model ( * self)) }
+  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_assignments_assignments,
+  type ModelTy0.modelTy = ModelTy0.modelTy
+  val len [@cfg:stackify] (self : Type.creusat_assignments_assignments) : usize
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 54 4 54 40] UInt64.to_int result = Seq.length (Model0.model self) }
     
-   =
-  var _0 : borrowed uint8;
-  var self_1 : borrowed (Type.creusat_assignments_assignments);
-  var ix_2 : usize;
-  var _3 : borrowed uint8;
-  var _4 : borrowed uint8;
-  var _5 : borrowed uint8;
-  var _6 : borrowed (Type.alloc_vec_vec uint8 (Type.alloc_alloc_global));
-  var _7 : usize;
-  {
-    self_1 <- self;
-    ix_2 <- ix;
-    goto BB0
-  }
-  BB0 {
-    _6 <- borrow_mut (Type.creusat_assignments_assignments_Assignments_0 ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Assignments_Assignments a =  * self_1 in Type.CreuSat_Assignments_Assignments ( ^ _6)) };
-    assume { Resolve0.resolve self_1 };
-    _7 <- ix_2;
-    _5 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 46 13 46 23] IndexMut0.index_mut _6 _7);
-    goto BB1
-  }
-  BB1 {
-    _4 <- borrow_mut ( * _5);
-    _5 <- { _5 with current = ( ^ _4) };
-    assume { Resolve1.resolve _5 };
-    _3 <- borrow_mut ( * _4);
-    _4 <- { _4 with current = ( ^ _3) };
-    assume { Resolve1.resolve _4 };
-    _0 <- borrow_mut ( * _3);
-    _3 <- { _3 with current = ( ^ _0) };
-    assume { Resolve1.resolve _3 };
-    return _0
-  }
-  
-end
-module CreuSat_Assignments_Impl2_Len_Interface
-  use mach.int.UInt64
-  use seq.Seq
-  use prelude.Prelude
-  use Type
-  use mach.int.Int
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  val len [@cfg:stackify] (self : Type.creusat_assignments_assignments) : usize
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 54 4 54 40] UInt64.to_int result = Seq.length (Model0.model self) }
-    
-end
-module CreuSat_Assignments_Impl2_Len
-  use mach.int.UInt64
-  use seq.Seq
-  use prelude.Prelude
-  use Type
-  use mach.int.Int
-  use prelude.UInt8
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model1 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = uint8, type a = Type.alloc_alloc_global,
-  function Model0.model = Model2.model
-  let rec cfg len [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 55 4 55 30] (self : Type.creusat_assignments_assignments) : usize
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 54 4 54 40] UInt64.to_int result = Seq.length (Model0.model self) }
-    
-   =
-  var _0 : usize;
-  var self_1 : Type.creusat_assignments_assignments;
-  var _2 : Type.alloc_vec_vec uint8 (Type.alloc_alloc_global);
-  {
-    self_1 <- self;
-    goto BB0
-  }
-  BB0 {
-    _2 <- Type.creusat_assignments_assignments_Assignments_0 self_1;
-    _0 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 56 8 56 20] Len0.len _2);
-    goto BB1
-  }
-  BB1 {
-    return _0
-  }
-  
 end
 module CreuSat_Logic_LogicAssignments_Impl1_Invariant_Interface
   use Type
@@ -1275,10 +877,10 @@ module CreuSat_Logic_LogicAssignments_Impl1_Invariant
   use mach.int.Int32
   use prelude.UInt8
   clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
-  predicate invariant' [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_assignments.rs" 47 4 47 46] (self : Type.creusat_assignments_assignments) (f : Type.creusat_formula_formula)
+  predicate invariant' [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_assignments.rs" 47 4 47 46] (self : Type.creusat_assignments_assignments) (f : Type.creusat_formula_formula)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_assignments.rs" 48 8 51 9] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) = Seq.length (Model0.model self) && (forall i : (int) . 0 <= i && i < Seq.length (Model0.model self) -> UInt8.to_int (Seq.get (Model0.model self) i) <= 3)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_assignments.rs" 48 8 51 9] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) = Seq.length (Model0.model self) /\ (forall i : (int) . 0 <= i /\ i < Seq.length (Model0.model self) -> UInt8.to_int (Seq.get (Model0.model self) i) <= 3)
 end
 module CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface
   use Type
@@ -1289,10 +891,10 @@ module CreuSat_Logic_LogicLit_Impl0_IndexLogic
   use Type
   use mach.int.Int
   use mach.int.UInt64
-  function index_logic [@inline:trivial] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 21 4 21 35] (self : Type.creusat_lit_lit) : int
+  function index_logic [@inline:trivial] [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 21 4 21 35] (self : Type.creusat_lit_lit) : int
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 22 8 22 31] UInt64.to_int (Type.creusat_lit_lit_Lit_idx self)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 22 8 22 31] UInt64.to_int (Type.creusat_lit_lit_Lit_idx self)
 end
 module CreuSat_Logic_LogicLit_Impl1_Invariant_Interface
   use Type
@@ -1303,10 +905,10 @@ module CreuSat_Logic_LogicLit_Impl1_Invariant
   use Type
   use mach.int.Int
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  predicate invariant' [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 76 4 76 42] (self : Type.creusat_lit_lit) (n : int)
+  predicate invariant' [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 76 4 76 42] (self : Type.creusat_lit_lit) (n : int)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 77 8 77 44] IndexLogic0.index_logic self < n
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 77 8 77 44] IndexLogic0.index_logic self < n
 end
 module CreuSat_Logic_LogicClause_Impl0_Model_Interface
   use Type
@@ -1318,10 +920,10 @@ module CreuSat_Logic_LogicClause_Impl0_Model
   use seq.Seq
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_lit_lit,
   type a = Type.alloc_alloc_global, axiom .
-  function model [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 15 4 15 35] (self : Type.creusat_clause_clause) : Seq.seq (Type.creusat_lit_lit)
+  function model [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 15 4 15 35] (self : Type.creusat_clause_clause) : Seq.seq (Type.creusat_lit_lit)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 14 4 14 12] Model0.model (Type.creusat_clause_clause_Clause_lits self)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 14 4 14 12] Model0.model (Type.creusat_clause_clause_Clause_lits self)
 end
 module CreuSat_Logic_LogicClause_VarsInRangeInner_Interface
   use seq.Seq
@@ -1335,10 +937,10 @@ module CreuSat_Logic_LogicClause_VarsInRangeInner
   use mach.int.Int
   use mach.int.Int32
   clone CreuSat_Logic_LogicLit_Impl1_Invariant_Interface as Invariant0
-  predicate vars_in_range_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 21 0 21 55] (s : Seq.seq (Type.creusat_lit_lit)) (n : int)
+  predicate vars_in_range_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 21 0 21 55] (s : Seq.seq (Type.creusat_lit_lit)) (n : int)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 22 4 25 5] forall i : (int) . 0 <= i && i < Seq.length s -> Invariant0.invariant' (Seq.get s i) n
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 22 4 25 5] forall i : (int) . 0 <= i /\ i < Seq.length s -> Invariant0.invariant' (Seq.get s i) n
 end
 module CreuSat_Logic_LogicClause_NoDuplicateIndexesInner_Interface
   use seq.Seq
@@ -1351,10 +953,10 @@ module CreuSat_Logic_LogicClause_NoDuplicateIndexesInner
   use mach.int.Int
   use mach.int.Int32
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  predicate no_duplicate_indexes_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 41 0 41 54] (s : Seq.seq (Type.creusat_lit_lit))
+  predicate no_duplicate_indexes_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 41 0 41 54] (s : Seq.seq (Type.creusat_lit_lit))
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 42 4 45 5] forall k : (int) . forall j : (int) . 0 <= j && j < Seq.length s && 0 <= k && k < j -> not IndexLogic0.index_logic (Seq.get s k) = IndexLogic0.index_logic (Seq.get s j)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 42 4 45 5] forall k : (int) . forall j : (int) . 0 <= j /\ j < Seq.length s /\ 0 <= k /\ k < j -> not IndexLogic0.index_logic (Seq.get s k) = IndexLogic0.index_logic (Seq.get s j)
 end
 module CreuSat_Logic_LogicClause_InvariantInternal_Interface
   use seq.Seq
@@ -1368,10 +970,10 @@ module CreuSat_Logic_LogicClause_InvariantInternal
   use mach.int.Int
   clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner_Interface as NoDuplicateIndexesInner0
   clone CreuSat_Logic_LogicClause_VarsInRangeInner_Interface as VarsInRangeInner0
-  predicate invariant_internal [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 29 0 29 54] (s : Seq.seq (Type.creusat_lit_lit)) (n : int)
+  predicate invariant_internal [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 29 0 29 54] (s : Seq.seq (Type.creusat_lit_lit)) (n : int)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 28 0 28 12] VarsInRangeInner0.vars_in_range_inner s n && NoDuplicateIndexesInner0.no_duplicate_indexes_inner s
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 28 0 28 12] VarsInRangeInner0.vars_in_range_inner s n /\ NoDuplicateIndexesInner0.no_duplicate_indexes_inner s
 end
 module CreuSat_Logic_LogicClause_Impl2_Invariant_Interface
   use Type
@@ -1383,16 +985,16 @@ module CreuSat_Logic_LogicClause_Impl2_Invariant
   use mach.int.Int
   clone CreuSat_Logic_LogicClause_InvariantInternal_Interface as InvariantInternal0
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
-  predicate invariant' [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 195 4 195 42] (self : Type.creusat_clause_clause) (n : int)
+  predicate invariant' [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 195 4 195 42] (self : Type.creusat_clause_clause) (n : int)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 196 8 198 9] InvariantInternal0.invariant_internal (Model0.model self) n
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 196 8 198 9] InvariantInternal0.invariant_internal (Model0.model self) n
 end
-module CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface
+module CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface
   use Type
   predicate invariant_mirror (self : Type.creusat_formula_formula)
 end
-module CreuSat_Logic_LogicFormula_Impl1_InvariantMirror
+module CreuSat_Logic_LogicFormula_Impl2_InvariantMirror
   use Type
   use mach.int.Int
   use mach.int.Int32
@@ -1402,10 +1004,10 @@ module CreuSat_Logic_LogicFormula_Impl1_InvariantMirror
   clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant0
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  predicate invariant_mirror [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 106 4 106 37] (self : Type.creusat_formula_formula)
+  predicate invariant_mirror [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 113 4 113 37] (self : Type.creusat_formula_formula)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 107 8 114 9] (forall i : (int) . 0 <= i && i < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) -> Invariant0.invariant' (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) i) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars self))) && (forall i : (int) . 0 <= i && i < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) -> Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) i)) >= 1)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 114 8 121 9] (forall i : (int) . 0 <= i /\ i < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) -> Invariant0.invariant' (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) i) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars self))) /\ (forall i : (int) . 0 <= i /\ i < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) -> Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) i)) >= 1)
 end
 module CreuSat_Logic_LogicFormula_Impl0_Model_Interface
   use Type
@@ -1420,10 +1022,10 @@ module CreuSat_Logic_LogicFormula_Impl0_Model
   use mach.int.UInt64
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  function model [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 15 4 15 35] (self : Type.creusat_formula_formula) : (Seq.seq (Type.creusat_clause_clause), int)
+  function model [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 15 4 15 35] (self : Type.creusat_formula_formula) : (Seq.seq (Type.creusat_clause_clause), int)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 14 4 14 12] (Model0.model (Type.creusat_formula_formula_Formula_clauses self), UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars self))
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 14 4 14 12] (Model0.model (Type.creusat_formula_formula_Formula_clauses self), UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars self))
 end
 module CreuSat_Logic_LogicFormula_FormulaInvariant_Interface
   use seq.Seq
@@ -1438,10 +1040,10 @@ module CreuSat_Logic_LogicFormula_FormulaInvariant
   use mach.int.Int32
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
   clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant0
-  predicate formula_invariant [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 21 0 21 55] (f : (Seq.seq (Type.creusat_clause_clause), int))
+  predicate formula_invariant [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 28 0 28 55] (f : (Seq.seq (Type.creusat_clause_clause), int))
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 22 4 28 5] (forall i : (int) . 0 <= i && i < Seq.length (let (a, _) = f in a) -> Invariant0.invariant' (Seq.get (let (a, _) = f in a) i) (let (_, a) = f in a)) && (forall i : (int) . 0 <= i && i < Seq.length (let (a, _) = f in a) -> Seq.length (Model0.model (Seq.get (let (a, _) = f in a) i)) > 0)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 29 4 35 5] (forall i : (int) . 0 <= i /\ i < Seq.length (let (a, _) = f in a) -> Invariant0.invariant' (Seq.get (let (a, _) = f in a) i) (let (_, a) = f in a)) /\ (forall i : (int) . 0 <= i /\ i < Seq.length (let (a, _) = f in a) -> Seq.length (Model0.model (Seq.get (let (a, _) = f in a) i)) > 0)
 end
 module CreuSat_Logic_LogicFormula_Impl0_ModelTy
   use seq.Seq
@@ -1454,8 +1056,8 @@ module CreuSat_Logic_LogicFormula_Impl0
   use Type
   clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model0 with function Model0.model = Model2.model
   clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model0 with function Model0.model = Model2.model
   clone CreusotContracts_Logic_Model_Model_Model_Interface as Model1 with type self = Type.creusat_formula_formula,
   function model = Model0.model, type ModelTy0.modelTy = ModelTy0.modelTy
   clone CreusotContracts_Logic_Model_Model_ModelTy as ModelTy1 with type self = Type.creusat_formula_formula,
@@ -1471,54 +1073,28 @@ module CreuSat_Logic_LogicClause_Impl0
   use Type
   clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_lit_lit,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model0 with function Model0.model = Model2.model
   clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicClause_Impl0_Model as Model0 with function Model0.model = Model2.model
   clone CreusotContracts_Logic_Model_Model_Model_Interface as Model1 with type self = Type.creusat_clause_clause,
   function model = Model0.model, type ModelTy0.modelTy = ModelTy0.modelTy
   clone CreusotContracts_Logic_Model_Model_ModelTy as ModelTy1 with type self = Type.creusat_clause_clause,
   type modelTy = ModelTy0.modelTy
 end
-module CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface
+module CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface
   use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
   predicate invariant' (self : Type.creusat_formula_formula)
 end
-module CreuSat_Logic_LogicFormula_Impl1_Invariant
+module CreuSat_Logic_LogicFormula_Impl2_Invariant
   use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
   clone CreuSat_Logic_LogicFormula_FormulaInvariant_Interface as FormulaInvariant0
   clone CreuSat_Logic_LogicFormula_Impl0_Model_Interface as Model0
-  predicate invariant' [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 101 4 101 34] (self : Type.creusat_formula_formula)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 102 8 102 46] FormulaInvariant0.formula_invariant (Model0.model self)
-  axiom invariant'_spec : forall self : Type.creusat_formula_formula . [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 100 4 100 49] invariant' self = InvariantMirror0.invariant_mirror self
-end
-module CreuSat_Logic_LogicFormula_Impl1_Invariant_Impl
-  use Type
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant1 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant1.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model2 with function Model0.model = Model3.model
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant0 with function Model0.model = Model2.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  function Model0.model = Model2.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model0 with function Model0.model = Model1.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model1.model,
-  predicate Invariant0.invariant' = Invariant0.invariant', function Model1.model = Model2.model
-  let rec ghost function invariant' (self : Type.creusat_formula_formula) : bool
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 100 4 100 49] result = InvariantMirror0.invariant_mirror self }
+  predicate invariant' [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 108 4 108 34] (self : Type.creusat_formula_formula)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 102 8 102 46] let a' = Model0.model self in FormulaInvariant0.formula_invariant a'
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 109 8 109 46] FormulaInvariant0.formula_invariant (Model0.model self)
+  axiom invariant'_spec : forall self : Type.creusat_formula_formula . [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 107 4 107 49] invariant' self = InvariantMirror0.invariant_mirror self
 end
 module CreuSat_Logic_LogicTrail_Impl0_Invariant_Interface
   use Type
@@ -1533,12 +1109,12 @@ module CreuSat_Logic_LogicTrail_Impl0_Invariant
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  predicate invariant' [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 12 4 12 46] (self : Type.creusat_trail_reason) (f : Type.creusat_formula_formula)
+  predicate invariant' [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 12 4 12 46] (self : Type.creusat_trail_reason) (f : Type.creusat_formula_formula)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 13 8 23 9] match (self) with
-      | Type.CreuSat_Trail_Reason_Long cref -> 0 <= UInt64.to_int cref && UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) && Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) > 1
-      | Type.CreuSat_Trail_Reason_Unit cref -> 0 <= UInt64.to_int cref && UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) && Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) = 1
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 13 8 23 9] match (self) with
+      | Type.CreuSat_Trail_Reason_Long cref -> 0 <= UInt64.to_int cref /\ UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) /\ Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) > 1
+      | Type.CreuSat_Trail_Reason_Unit cref -> 0 <= UInt64.to_int cref /\ UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) /\ Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) = 1
       | _ -> true
       end
 end
@@ -1551,10 +1127,10 @@ module CreuSat_Logic_LogicTrail_Impl1_Invariant
   use mach.int.UInt64
   clone CreuSat_Logic_LogicTrail_Impl0_Invariant_Interface as Invariant1
   clone CreuSat_Logic_LogicLit_Impl1_Invariant_Interface as Invariant0
-  predicate invariant' [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 48 4 48 46] (self : Type.creusat_trail_step) (f : Type.creusat_formula_formula)
+  predicate invariant' [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 48 4 48 46] (self : Type.creusat_trail_step) (f : Type.creusat_formula_formula)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 49 8 52 9] Invariant0.invariant' (Type.creusat_trail_step_Step_lit self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) && Invariant1.invariant' (Type.creusat_trail_step_Step_reason self) f
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 49 8 52 9] Invariant0.invariant' (Type.creusat_trail_step_Step_lit self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) /\ Invariant1.invariant' (Type.creusat_trail_step_Step_reason self) f
 end
 module CreuSat_Logic_LogicTrail_CrefsInRange_Interface
   use seq.Seq
@@ -1567,10 +1143,10 @@ module CreuSat_Logic_LogicTrail_CrefsInRange
   use mach.int.Int
   use mach.int.Int32
   clone CreuSat_Logic_LogicTrail_Impl1_Invariant_Interface as Invariant0
-  predicate crefs_in_range [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 171 0 171 59] (trail : Seq.seq (Type.creusat_trail_step)) (f : Type.creusat_formula_formula)
+  predicate crefs_in_range [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 171 0 171 59] (trail : Seq.seq (Type.creusat_trail_step)) (f : Type.creusat_formula_formula)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 172 4 175 5] forall i : (int) . 0 <= i && i < Seq.length trail -> Invariant0.invariant' (Seq.get trail i) f
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 172 4 175 5] forall i : (int) . 0 <= i /\ i < Seq.length trail -> Invariant0.invariant' (Seq.get trail i) f
 end
 module CreuSat_Logic_LogicTrail_TrailInvariant_Interface
   use seq.Seq
@@ -1581,10 +1157,10 @@ module CreuSat_Logic_LogicTrail_TrailInvariant
   use seq.Seq
   use Type
   clone CreuSat_Logic_LogicTrail_CrefsInRange_Interface as CrefsInRange0
-  predicate trail_invariant [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 156 0 156 60] (trail : Seq.seq (Type.creusat_trail_step)) (f : Type.creusat_formula_formula)
+  predicate trail_invariant [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 156 0 156 60] (trail : Seq.seq (Type.creusat_trail_step)) (f : Type.creusat_formula_formula)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 157 4 159 5] CrefsInRange0.crefs_in_range trail f
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 157 4 159 5] CrefsInRange0.crefs_in_range trail f
 end
 module CreuSat_Logic_Logic_Unset_Interface
   use mach.int.Int
@@ -1597,8 +1173,8 @@ module CreuSat_Logic_Logic_Unset
   use prelude.Prelude
   use prelude.UInt8
   use mach.int.Int32
-  predicate unset [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic.rs" 20 0 20 38] (v : uint8) =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic.rs" 21 4 27 5] if UInt8.to_int v >= 2 then true else false
+  predicate unset [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 66 0 66 38] (v : uint8) =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 67 4 73 5] if UInt8.to_int v >= 2 then true else false
 end
 module CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic_Interface
   use Type
@@ -1606,10 +1182,10 @@ module CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic_Interface
 end
 module CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic
   use Type
-  function is_positive_logic [@inline:trivial] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 27 4 27 42] (self : Type.creusat_lit_lit) : bool
+  function is_positive_logic [@inline:trivial] [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 27 4 27 42] (self : Type.creusat_lit_lit) : bool
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 28 20 28 33] Type.creusat_lit_lit_Lit_polarity self
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 28 20 28 33] Type.creusat_lit_lit_Lit_polarity self
 end
 module CreuSat_Logic_LogicLit_Impl1_SatInner_Interface
   use Type
@@ -1628,10 +1204,10 @@ module CreuSat_Logic_LogicLit_Impl1_SatInner
   use mach.int.Int32
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
   clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic_Interface as IsPositiveLogic0
-  predicate sat_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 81 4 81 57] (self : Type.creusat_lit_lit) (a : Seq.seq uint8)
+  predicate sat_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 81 4 81 57] (self : Type.creusat_lit_lit) (a : Seq.seq uint8)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 82 8 87 9] if IsPositiveLogic0.is_positive_logic self then
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 82 8 87 9] if IsPositiveLogic0.is_positive_logic self then
       UInt8.to_int (Seq.get a (IndexLogic0.index_logic self)) = 1
     else
       UInt8.to_int (Seq.get a (IndexLogic0.index_logic self)) = 0
@@ -1654,10 +1230,10 @@ module CreuSat_Logic_LogicLit_Impl1_UnsatInner
   use mach.int.Int32
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
   clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic_Interface as IsPositiveLogic0
-  predicate unsat_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 91 4 91 59] (self : Type.creusat_lit_lit) (a : Seq.seq uint8)
+  predicate unsat_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 91 4 91 59] (self : Type.creusat_lit_lit) (a : Seq.seq uint8)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 92 8 97 9] if IsPositiveLogic0.is_positive_logic self then
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 92 8 97 9] if IsPositiveLogic0.is_positive_logic self then
       UInt8.to_int (Seq.get a (IndexLogic0.index_logic self)) = 0
     else
       UInt8.to_int (Seq.get a (IndexLogic0.index_logic self)) = 1
@@ -1682,10 +1258,10 @@ module CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner
   clone CreuSat_Logic_LogicLit_Impl1_SatInner_Interface as SatInner0
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
-  predicate clause_post_with_regards_to_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 194 0 194 90] (c : Type.creusat_clause_clause) (a : Seq.seq uint8) (j : int)
+  predicate clause_post_with_regards_to_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 194 0 194 90] (c : Type.creusat_clause_clause) (a : Seq.seq uint8) (j : int)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 195 4 199 5] IndexLogic0.index_logic (Seq.get (Model0.model c) 0) = j && SatInner0.sat_inner (Seq.get (Model0.model c) 0) a && (forall i : (int) . 1 <= i && i < Seq.length (Model0.model c) -> UnsatInner0.unsat_inner (Seq.get (Model0.model c) i) a)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 195 4 199 5] IndexLogic0.index_logic (Seq.get (Model0.model c) 0) = j /\ SatInner0.sat_inner (Seq.get (Model0.model c) 0) a /\ (forall i : (int) . 1 <= i /\ i < Seq.length (Model0.model c) -> UnsatInner0.unsat_inner (Seq.get (Model0.model c) i) a)
 end
 module CreuSat_Logic_LogicTrail_LongArePostUnitInner_Interface
   use seq.Seq
@@ -1708,10 +1284,10 @@ module CreuSat_Logic_LogicTrail_LongArePostUnitInner
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  predicate long_are_post_unit_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 230 0 230 92] (trail : Seq.seq (Type.creusat_trail_step)) (f : Type.creusat_formula_formula) (a : Seq.seq uint8)
+  predicate long_are_post_unit_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 230 0 230 92] (trail : Seq.seq (Type.creusat_trail_step)) (f : Type.creusat_formula_formula) (a : Seq.seq uint8)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 231 4 237 5] forall j : (int) . 0 <= j && j < Seq.length trail -> match (Type.creusat_trail_step_Step_reason (Seq.get trail j)) with
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 231 4 237 5] forall j : (int) . 0 <= j /\ j < Seq.length trail -> match (Type.creusat_trail_step_Step_reason (Seq.get trail j)) with
       | Type.CreuSat_Trail_Reason_Long k -> ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int k)) a (IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit (Seq.get trail j)))
       | _ -> true
       end
@@ -1724,10 +1300,10 @@ module CreuSat_Logic_LogicLit_Impl1_Sat
   use Type
   clone CreuSat_Logic_LogicLit_Impl1_SatInner_Interface as SatInner0
   clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
-  predicate sat [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 106 4 106 44] (self : Type.creusat_lit_lit) (a : Type.creusat_assignments_assignments)
+  predicate sat [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 106 4 106 44] (self : Type.creusat_lit_lit) (a : Type.creusat_assignments_assignments)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 107 8 107 40] SatInner0.sat_inner self (Model0.model a)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 107 8 107 40] SatInner0.sat_inner self (Model0.model a)
 end
 module CreusotContracts_Std1_Vec_Impl0_ModelTy
   type t
@@ -1740,27 +1316,8 @@ module CreuSat_Lit_Impl1_IsPositive_Interface
   use Type
   clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic_Interface as IsPositiveLogic0
   val is_positive [@cfg:stackify] (self : Type.creusat_lit_lit) : bool
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 37 4 37 50] result = IsPositiveLogic0.is_positive_logic self }
-    
-end
-module CreuSat_Lit_Impl1_IsPositive
-  use Type
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  let rec cfg is_positive [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 38 4 38 36] (self : Type.creusat_lit_lit) : bool
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 37 4 37 50] result = IsPositiveLogic0.is_positive_logic self }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 37 4 37 50] result = IsPositiveLogic0.is_positive_logic self }
     
-   =
-  var _0 : bool;
-  var self_1 : Type.creusat_lit_lit;
-  {
-    self_1 <- self;
-    goto BB0
-  }
-  BB0 {
-    _0 <- Type.creusat_lit_lit_Lit_polarity self_1;
-    return _0
-  }
-  
 end
 module CreuSat_Lit_Impl1_Index_Interface
   use mach.int.UInt64
@@ -1769,30 +1326,8 @@ module CreuSat_Lit_Impl1_Index_Interface
   use prelude.Prelude
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
   val index [@cfg:stackify] (self : Type.creusat_lit_lit) : usize
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 30 4 30 45] UInt64.to_int result = IndexLogic0.index_logic self }
-    
-end
-module CreuSat_Lit_Impl1_Index
-  use mach.int.UInt64
-  use Type
-  use mach.int.Int
-  use prelude.Prelude
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  let rec cfg index [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 31 4 31 31] (self : Type.creusat_lit_lit) : usize
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 30 4 30 45] UInt64.to_int result = IndexLogic0.index_logic self }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 30 4 30 45] UInt64.to_int result = IndexLogic0.index_logic self }
     
-   =
-  var _0 : usize;
-  var self_1 : Type.creusat_lit_lit;
-  {
-    self_1 <- self;
-    goto BB0
-  }
-  BB0 {
-    _0 <- Type.creusat_lit_lit_Lit_idx self_1;
-    return _0
-  }
-  
 end
 module CreuSat_Assignments_Impl2_SetAssignment_Interface
   use mach.int.UInt64
@@ -1801,278 +1336,50 @@ module CreuSat_Assignments_Impl2_SetAssignment_Interface
   use mach.int.Int32
   use prelude.Prelude
   use Type
+  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy1
+  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy0 with type t = Type.creusat_trail_step,
+  type a = Type.alloc_alloc_global
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
   clone CreuSat_Logic_LogicLit_Impl1_Sat_Interface as Sat0
   clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model2
   clone CreuSat_Logic_LogicTrail_LongArePostUnitInner_Interface as LongArePostUnitInner0
   clone CreuSat_Logic_Logic_Unset_Interface as Unset0
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy1
   clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model1 with type t = Type.creusat_assignments_assignments,
   type ModelTy0.modelTy = ModelTy1.modelTy
   clone CreuSat_Logic_LogicTrail_TrailInvariant_Interface as TrailInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy0 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global
   clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global),
   type ModelTy0.modelTy = ModelTy0.modelTy
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant2 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant2 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
   axiom .
   clone CreuSat_Logic_LogicLit_Impl1_Invariant_Interface as Invariant1
   clone CreuSat_Logic_LogicAssignments_Impl1_Invariant_Interface as Invariant0
   val set_assignment [@cfg:stackify] (self : borrowed (Type.creusat_assignments_assignments)) (lit : Type.creusat_lit_lit) (_f : Type.creusat_formula_formula) (_t : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global)) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 61 4 61 43] Invariant0.invariant' ( * self) _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 62 4 62 44] Invariant1.invariant' lit (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 63 4 63 31] Invariant2.invariant' _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 64 4 64 42] TrailInvariant0.trail_invariant (Model0.model _t) _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 65 4 65 50] Unset0.unset (Seq.get (Model1.model self) (IndexLogic0.index_logic lit))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 66 4 66 58] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model _t) _f (Model1.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 61 4 61 43] Invariant0.invariant' ( ^ self) _f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 67 4 67 58] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model _t) _f (Model2.model ( ^ self)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 68 4 68 51] not Unset0.unset (Seq.get (Model2.model ( ^ self)) (IndexLogic0.index_logic lit)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 69 4 69 47] Seq.length (Model2.model ( ^ self)) = Seq.length (Model1.model self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 70 4 71 71] forall j : (int) . 0 <= j && j < Seq.length (Model1.model self) && j <> IndexLogic0.index_logic lit -> Seq.get (Model2.model ( * self)) j = Seq.get (Model2.model ( ^ self)) j }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 72 4 72 30] Sat0.sat lit ( ^ self) }
-    
-end
-module CreuSat_Assignments_Impl2_SetAssignment
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  use Type
-  use prelude.UInt8
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model7 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model2 with function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant0 with function Model0.model = Model2.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant5 with function Model0.model = Model5.model,
-  function Model1.model = Model7.model
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model3 with function Model0.model = Model5.model
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy1
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model1 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model2.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy0 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model4.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model7.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model2.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant1 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant1.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant3 with function Model0.model = Model7.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant3.invariant',
-  function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model5.model,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model1.model = Model7.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant2 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model3.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant4 with predicate Invariant0.invariant' = Invariant1.invariant',
-  predicate Invariant1.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant4.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = uint8
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy2 with type t = uint8
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = uint8
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = uint8
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = uint8
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = uint8
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_assignments_assignments
-  clone CreuSat_Lit_Impl1_IsPositive_Interface as IsPositive0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = uint8, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model6.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  clone CreuSat_Lit_Impl1_Index_Interface as Index0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  let rec cfg set_assignment [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 73 4 73 76] (self : borrowed (Type.creusat_assignments_assignments)) (lit : Type.creusat_lit_lit) (_f : Type.creusat_formula_formula) (_t : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global)) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 61 4 61 43] Invariant0.invariant' ( * self) _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 62 4 62 44] Invariant1.invariant' lit (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 63 4 63 31] Invariant2.invariant' _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 64 4 64 42] TrailInvariant0.trail_invariant (Model0.model _t) _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 65 4 65 50] Unset0.unset (Seq.get (Model1.model self) (IndexLogic0.index_logic lit))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 66 4 66 58] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model _t) _f (Model1.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 61 4 61 43] Invariant0.invariant' ( ^ self) _f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 67 4 67 58] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model _t) _f (Model2.model ( ^ self)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 68 4 68 51] not Unset0.unset (Seq.get (Model2.model ( ^ self)) (IndexLogic0.index_logic lit)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 69 4 69 47] Seq.length (Model2.model ( ^ self)) = Seq.length (Model1.model self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 70 4 71 71] forall j : (int) . 0 <= j && j < Seq.length (Model1.model self) && j <> IndexLogic0.index_logic lit -> Seq.get (Model2.model ( * self)) j = Seq.get (Model2.model ( ^ self)) j }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 72 4 72 30] Sat0.sat lit ( ^ self) }
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 61 4 61 43] Invariant0.invariant' ( * self) _f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 62 4 62 44] Invariant1.invariant' lit (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 63 4 63 31] Invariant2.invariant' _f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 64 4 64 42] TrailInvariant0.trail_invariant (Model0.model _t) _f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 65 4 65 50] Unset0.unset (Seq.get (Model1.model self) (IndexLogic0.index_logic lit))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 66 4 66 58] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model _t) _f (Model1.model self)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 61 4 61 43] Invariant0.invariant' ( ^ self) _f }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 67 4 67 58] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model _t) _f (Model2.model ( ^ self)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 68 4 68 51] not Unset0.unset (Seq.get (Model2.model ( ^ self)) (IndexLogic0.index_logic lit)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 69 4 69 47] Seq.length (Model2.model ( ^ self)) = Seq.length (Model1.model self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 70 4 71 71] forall j : (int) . 0 <= j /\ j < Seq.length (Model1.model self) /\ j <> IndexLogic0.index_logic lit -> Seq.get (Model2.model ( * self)) j = Seq.get (Model2.model ( ^ self)) j }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 72 4 72 30] Sat0.sat lit ( ^ self) }
     
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_assignments_assignments);
-  var lit_2 : Type.creusat_lit_lit;
-  var _f_3 : Type.creusat_formula_formula;
-  var _t_4 : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global);
-  ghost var old_self_5 : borrowed (Type.creusat_assignments_assignments);
-  var _6 : ();
-  var _7 : bool;
-  var _8 : Type.creusat_lit_lit;
-  var _9 : borrowed uint8;
-  var _10 : borrowed (Type.alloc_vec_vec uint8 (Type.alloc_alloc_global));
-  var _11 : usize;
-  var _12 : Type.creusat_lit_lit;
-  var _13 : borrowed uint8;
-  var _14 : borrowed (Type.alloc_vec_vec uint8 (Type.alloc_alloc_global));
-  var _15 : usize;
-  var _16 : Type.creusat_lit_lit;
-  {
-    self_1 <- self;
-    lit_2 <- lit;
-    _f_3 <- _f;
-    _t_4 <- _t;
-    goto BB0
-  }
-  BB0 {
-    _6 <- ();
-    old_self_5 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 74 23 74 38] self_1);
-    goto BB1
-  }
-  BB1 {
-    _8 <- lit_2;
-    _7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 76 11 76 28] IsPositive0.is_positive _8);
-    goto BB2
-  }
-  BB2 {
-    switch (_7)
-      | False -> goto BB6
-      | _ -> goto BB3
-      end
-  }
-  BB3 {
-    _10 <- borrow_mut (Type.creusat_assignments_assignments_Assignments_0 ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Assignments_Assignments a =  * self_1 in Type.CreuSat_Assignments_Assignments ( ^ _10)) };
-    assume { Resolve0.resolve self_1 };
-    _12 <- lit_2;
-    _11 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 77 19 77 30] Index0.index _12);
-    goto BB4
-  }
-  BB4 {
-    _9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 77 12 77 31] IndexMut0.index_mut _10 _11);
-    goto BB5
-  }
-  BB5 {
-    _9 <- { _9 with current = (1 : uint8) };
-    assume { Resolve1.resolve _9 };
-    _0 <- ();
-    goto BB9
-  }
-  BB6 {
-    _14 <- borrow_mut (Type.creusat_assignments_assignments_Assignments_0 ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Assignments_Assignments a =  * self_1 in Type.CreuSat_Assignments_Assignments ( ^ _14)) };
-    assume { Resolve0.resolve self_1 };
-    _16 <- lit_2;
-    _15 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 79 19 79 30] Index0.index _16);
-    goto BB7
-  }
-  BB7 {
-    _13 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 79 12 79 31] IndexMut0.index_mut _14 _15);
-    goto BB8
-  }
-  BB8 {
-    _13 <- { _13 with current = (0 : uint8) };
-    assume { Resolve1.resolve _13 };
-    _0 <- ();
-    goto BB9
-  }
-  BB9 {
-    return _0
-  }
-  
 end
 module CreuSat_Assignments_Impl2_New_Interface
   use prelude.Prelude
   use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
   clone CreuSat_Logic_LogicAssignments_Impl1_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
   axiom .
   val new [@cfg:stackify] (f : Type.creusat_formula_formula) : Type.creusat_assignments_assignments
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 85 4 85 30] Invariant0.invariant' f}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 86 4 86 36] Invariant1.invariant' result f }
-    
-end
-module CreuSat_Assignments_Impl2_New
-  use prelude.Prelude
-  use Type
-  use mach.int.Int
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant3 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant3.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model3 with function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant2 with function Model0.model = Model3.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant2.invariant',
-  function Model0.model = Model3.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model1 with function Model0.model = Model4.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant1 with function Model0.model = Model1.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model0 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model2.model,
-  predicate Invariant0.invariant' = Invariant2.invariant', function Model1.model = Model3.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model0.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  use mach.int.UInt64
-  clone Alloc_Vec_FromElem_Interface as FromElem0 with type t = uint8, function Model0.model = Model4.model
-  let rec cfg new [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 87 4 87 35] (f : Type.creusat_formula_formula) : Type.creusat_assignments_assignments
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 85 4 85 30] Invariant0.invariant' f}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 86 4 86 36] Invariant1.invariant' result f }
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 85 4 85 30] Invariant0.invariant' f}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/assignments.rs" 86 4 86 36] Invariant1.invariant' result f }
     
-   =
-  var _0 : Type.creusat_assignments_assignments;
-  var f_1 : Type.creusat_formula_formula;
-  var _2 : Type.alloc_vec_vec uint8 (Type.alloc_alloc_global);
-  var _3 : usize;
-  {
-    f_1 <- f;
-    goto BB0
-  }
-  BB0 {
-    _3 <- Type.creusat_formula_formula_Formula_num_vars f_1;
-    _2 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/assignments.rs" 88 20 88 49] FromElem0.from_elem (2 : uint8) _3);
-    goto BB1
-  }
-  BB1 {
-    _0 <- Type.CreuSat_Assignments_Assignments _2;
-    goto BB2
-  }
-  BB2 {
-    return _0
-  }
-  
 end
 module CreuSat_Clause_Impl0_Index_Interface
   use mach.int.UInt64
@@ -2084,252 +1391,58 @@ module CreuSat_Clause_Impl0_Index_Interface
   clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type ModelTy0.modelTy = ModelTy0.modelTy
   val index [@cfg:stackify] (self : Type.creusat_clause_clause) (ix : usize) : Type.creusat_lit_lit
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 22 4 22 36] UInt64.to_int ix < Seq.length (Model0.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 23 4 23 39] Seq.get (Model0.model self) (UInt64.to_int ix) = result }
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 22 4 22 36] UInt64.to_int ix < Seq.length (Model0.model self)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 23 4 23 39] Seq.get (Model0.model self) (UInt64.to_int ix) = result }
     
 end
-module CreuSat_Clause_Impl0_Index
+module CreuSat_Clause_Impl1_IndexMut_Interface
   use mach.int.UInt64
   use seq.Seq
   use mach.int.Int
+  use mach.int.Int32
   use prelude.Prelude
   use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model2.model
   clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = Type.creusat_lit_lit
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.creusat_lit_lit
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.creusat_lit_lit
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.creusat_lit_lit
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = Type.creusat_lit_lit, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model2.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  let rec cfg index [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 24 4 24 38] (self : Type.creusat_clause_clause) (ix : usize) : Type.creusat_lit_lit
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 22 4 22 36] UInt64.to_int ix < Seq.length (Model0.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 23 4 23 39] Seq.get (Model0.model self) (UInt64.to_int ix) = result }
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
+  clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
+  type ModelTy0.modelTy = ModelTy0.modelTy
+  val index_mut [@cfg:stackify] (self : borrowed (Type.creusat_clause_clause)) (ix : usize) : borrowed (Type.creusat_lit_lit)
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 36 4 36 36] UInt64.to_int ix < Seq.length (Model0.model self)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 37 4 37 40] Seq.get (Model1.model ( * self)) (UInt64.to_int ix) =  * result }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 38 4 38 40] Seq.get (Model1.model ( ^ self)) (UInt64.to_int ix) =  ^ result }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 39 4 39 101] forall i : (int) . 0 <= i /\ i <> UInt64.to_int ix /\ i < Seq.length (Model0.model self) -> Seq.get (Model0.model self) i = Seq.get (Model1.model ( ^ self)) i }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 40 4 40 48] Seq.length (Model1.model ( ^ self)) = Seq.length (Model1.model ( * self)) }
     
-   =
-  var _0 : Type.creusat_lit_lit;
-  var self_1 : Type.creusat_clause_clause;
-  var ix_2 : usize;
-  var _3 : Type.creusat_lit_lit;
-  var _4 : Type.creusat_lit_lit;
-  var _5 : Type.alloc_vec_vec (Type.creusat_lit_lit) (Type.alloc_alloc_global);
-  var _6 : usize;
-  {
-    self_1 <- self;
-    ix_2 <- ix;
-    goto BB0
-  }
-  BB0 {
-    _5 <- Type.creusat_clause_clause_Clause_lits self_1;
-    _6 <- ix_2;
-    _4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 30 9 30 22] Index0.index _5 _6);
-    goto BB1
-  }
-  BB1 {
-    _3 <- _4;
-    _0 <- _3;
-    return _0
-  }
-  
 end
-module CreuSat_Clause_Impl1_IndexMut_Interface
+module CreuSat_Clause_Impl2_Clone_Interface
+  use prelude.Prelude
+  use Type
+  val clone' [@cfg:stackify] (self : Type.creusat_clause_clause) : Type.creusat_clause_clause
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 53 4 53 31] result = self }
+    
+end
+module CreuSat_Clause_Impl3_Len_Interface
   use mach.int.UInt64
   use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
   use prelude.Prelude
   use Type
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
+  use mach.int.Int
   clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
+  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type ModelTy0.modelTy = ModelTy0.modelTy
-  val index_mut [@cfg:stackify] (self : borrowed (Type.creusat_clause_clause)) (ix : usize) : borrowed (Type.creusat_lit_lit)
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 36 4 36 36] UInt64.to_int ix < Seq.length (Model0.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 37 4 37 40] Seq.get (Model1.model ( * self)) (UInt64.to_int ix) =  * result }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 38 4 38 40] Seq.get (Model1.model ( ^ self)) (UInt64.to_int ix) =  ^ result }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 39 4 39 101] forall i : (int) . 0 <= i && i <> UInt64.to_int ix && i < Seq.length (Model0.model self) -> Seq.get (Model0.model self) i = Seq.get (Model1.model ( ^ self)) i }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 40 4 40 48] Seq.length (Model1.model ( ^ self)) = Seq.length (Model1.model ( * self)) }
+  val len [@cfg:stackify] (self : Type.creusat_clause_clause) : usize
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 102 4 102 40] UInt64.to_int result = Seq.length (Model0.model self) }
     
 end
-module CreuSat_Clause_Impl1_IndexMut
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model0 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_lit_lit
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = Type.creusat_lit_lit
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.creusat_lit_lit
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = Type.creusat_lit_lit
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.creusat_lit_lit
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.creusat_lit_lit
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_clause_clause
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = Type.creusat_lit_lit, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model2.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  let rec cfg index_mut [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 41 4 41 50] (self : borrowed (Type.creusat_clause_clause)) (ix : usize) : borrowed (Type.creusat_lit_lit)
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 36 4 36 36] UInt64.to_int ix < Seq.length (Model0.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 37 4 37 40] Seq.get (Model1.model ( * self)) (UInt64.to_int ix) =  * result }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 38 4 38 40] Seq.get (Model1.model ( ^ self)) (UInt64.to_int ix) =  ^ result }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 39 4 39 101] forall i : (int) . 0 <= i && i <> UInt64.to_int ix && i < Seq.length (Model0.model self) -> Seq.get (Model0.model self) i = Seq.get (Model1.model ( ^ self)) i }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 40 4 40 48] Seq.length (Model1.model ( ^ self)) = Seq.length (Model1.model ( * self)) }
-    
-   =
-  var _0 : borrowed (Type.creusat_lit_lit);
-  var self_1 : borrowed (Type.creusat_clause_clause);
-  var ix_2 : usize;
-  var _3 : borrowed (Type.creusat_lit_lit);
-  var _4 : borrowed (Type.creusat_lit_lit);
-  var _5 : borrowed (Type.creusat_lit_lit);
-  var _6 : borrowed (Type.alloc_vec_vec (Type.creusat_lit_lit) (Type.alloc_alloc_global));
-  var _7 : usize;
-  {
-    self_1 <- self;
-    ix_2 <- ix;
-    goto BB0
-  }
-  BB0 {
-    _6 <- borrow_mut (Type.creusat_clause_clause_Clause_lits ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Clause_Clause a b c d =  * self_1 in Type.CreuSat_Clause_Clause a b c ( ^ _6)) };
-    assume { Resolve0.resolve self_1 };
-    _7 <- ix_2;
-    _5 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 47 13 47 26] IndexMut0.index_mut _6 _7);
-    goto BB1
-  }
-  BB1 {
-    _4 <- borrow_mut ( * _5);
-    _5 <- { _5 with current = ( ^ _4) };
-    assume { Resolve1.resolve _5 };
-    _3 <- borrow_mut ( * _4);
-    _4 <- { _4 with current = ( ^ _3) };
-    assume { Resolve1.resolve _4 };
-    _0 <- borrow_mut ( * _3);
-    _3 <- { _3 with current = ( ^ _0) };
-    assume { Resolve1.resolve _3 };
-    return _0
-  }
-  
-end
-module CreuSat_Clause_Impl2_Clone_Interface
-  use prelude.Prelude
-  use Type
-  val clone' [@cfg:stackify] (self : Type.creusat_clause_clause) : Type.creusat_clause_clause
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 53 4 53 31] result = self }
-    
-end
-module CreuSat_Clause_Impl2_Clone
-  use prelude.Prelude
-  use Type
-  val clone' [@cfg:stackify] (self : Type.creusat_clause_clause) : Type.creusat_clause_clause
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 53 4 53 31] result = self }
-    
-end
-module CreuSat_Clause_Impl3_Len_Interface
-  use mach.int.UInt64
-  use seq.Seq
-  use prelude.Prelude
-  use Type
-  use mach.int.Int
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  val len [@cfg:stackify] (self : Type.creusat_clause_clause) : usize
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 102 4 102 40] UInt64.to_int result = Seq.length (Model0.model self) }
-    
-end
-module CreuSat_Clause_Impl3_Len
-  use mach.int.UInt64
-  use seq.Seq
-  use prelude.Prelude
-  use Type
-  use mach.int.Int
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_lit_lit, type a = Type.alloc_alloc_global,
-  function Model0.model = Model2.model
-  let rec cfg len [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 103 4 103 30] (self : Type.creusat_clause_clause) : usize
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 102 4 102 40] UInt64.to_int result = Seq.length (Model0.model self) }
-    
-   =
-  var _0 : usize;
-  var self_1 : Type.creusat_clause_clause;
-  var _2 : Type.alloc_vec_vec (Type.creusat_lit_lit) (Type.alloc_alloc_global);
-  {
-    self_1 <- self;
-    goto BB0
-  }
-  BB0 {
-    _2 <- Type.creusat_clause_clause_Clause_lits self_1;
-    _0 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 104 8 104 23] Len0.len _2);
-    goto BB1
-  }
-  BB1 {
-    return _0
-  }
-  
-end
-module CreuSat_Lit_Impl1_CheckLitInvariant_Interface
+module CreuSat_Lit_Impl1_CheckLitInvariant_Interface
   use mach.int.UInt64
   use prelude.Prelude
   use Type
   use mach.int.Int
   clone CreuSat_Logic_LogicLit_Impl1_Invariant_Interface as Invariant0
   val check_lit_invariant [@cfg:stackify] (self : Type.creusat_lit_lit) (n : usize) : bool
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 44 4 44 44] result = Invariant0.invariant' self (UInt64.to_int n) }
-    
-end
-module CreuSat_Lit_Impl1_CheckLitInvariant
-  use mach.int.UInt64
-  use prelude.Prelude
-  use Type
-  use mach.int.Int
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Lit_Impl1_Index_Interface as Index0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  let rec cfg check_lit_invariant [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 45 4 45 55] (self : Type.creusat_lit_lit) (n : usize) : bool
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 44 4 44 44] result = Invariant0.invariant' self (UInt64.to_int n) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 44 4 44 44] result = Invariant0.invariant' self (UInt64.to_int n) }
     
-   =
-  var _0 : bool;
-  var self_1 : Type.creusat_lit_lit;
-  var n_2 : usize;
-  var _3 : usize;
-  var _4 : Type.creusat_lit_lit;
-  var _5 : usize;
-  {
-    self_1 <- self;
-    n_2 <- n;
-    goto BB0
-  }
-  BB0 {
-    _4 <- self_1;
-    _3 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 46 8 46 20] Index0.index _4);
-    goto BB1
-  }
-  BB1 {
-    _5 <- n_2;
-    _0 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 46 8 46 24] _3 < _5);
-    return _0
-  }
-  
 end
 module CreuSat_Logic_LogicClause_Impl2_NoDuplicateIndexes_Interface
   use Type
@@ -2339,10 +1452,10 @@ module CreuSat_Logic_LogicClause_Impl2_NoDuplicateIndexes
   use Type
   clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner_Interface as NoDuplicateIndexesInner0
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
-  predicate no_duplicate_indexes [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 183 4 183 45] (self : Type.creusat_clause_clause)
+  predicate no_duplicate_indexes [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 183 4 183 45] (self : Type.creusat_clause_clause)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 184 8 184 55] NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model0.model self)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 184 8 184 55] NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model0.model self)
 end
 module CreuSat_Clause_Impl0_Output
   use Type
@@ -2362,15 +1475,6 @@ module Core_Ops_Index_Index_Index_Interface
   val index [@cfg:stackify] (self : self) (index : idx) : Output0.output
     requires {false}
     
-end
-module Core_Ops_Index_Index_Index
-  type self
-  type idx
-  use prelude.Prelude
-  clone Core_Ops_Index_Index_Output as Output0 with type self = self, type idx = idx
-  val index [@cfg:stackify] (self : self) (index : idx) : Output0.output
-    requires {false}
-    
 end
 module CreuSat_Clause_Impl0
   use Type
@@ -2383,8 +1487,8 @@ module CreuSat_Clause_Impl0
   clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
   clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
   type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Clause_Impl0_Index_Interface as Index0 with function Model0.model = Model0.model
   clone CreuSat_Clause_Impl0_Output as Output0
+  clone CreuSat_Clause_Impl0_Index_Interface as Index0 with function Model0.model = Model0.model
   clone Core_Ops_Index_Index_Index_Interface as Index1 with type self = Type.creusat_clause_clause, type idx = usize,
   val index = Index0.index, type Output0.output = Output0.output
   clone Core_Ops_Index_Index_Output as Output1 with type self = Type.creusat_clause_clause, type idx = usize,
@@ -2395,160 +1499,8 @@ module CreuSat_Clause_Impl3_NoDuplicates_Interface
   use Type
   clone CreuSat_Logic_LogicClause_Impl2_NoDuplicateIndexes_Interface as NoDuplicateIndexes0
   val no_duplicates [@cfg:stackify] (self : Type.creusat_clause_clause) : bool
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 78 4 78 53] result = NoDuplicateIndexes0.no_duplicate_indexes self }
-    
-end
-module CreuSat_Clause_Impl3_NoDuplicates
-  use prelude.Prelude
-  use Type
-  use mach.int.Int
-  use mach.int.Int32
-  use mach.int.UInt64
-  use seq.Seq
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_NoDuplicateIndexes as NoDuplicateIndexes0 with function Model0.model = Model1.model,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Lit_Impl1_Index_Interface as Index1 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Clause_Impl0_Index_Interface as Index0 with function Model0.model = Model0.model
-  clone CreuSat_Clause_Impl3_Len_Interface as Len0 with function Model0.model = Model0.model
-  let rec cfg no_duplicates [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 79 4 79 39] (self : Type.creusat_clause_clause) : bool
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 78 4 78 53] result = NoDuplicateIndexes0.no_duplicate_indexes self }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 78 4 78 53] result = NoDuplicateIndexes0.no_duplicate_indexes self }
     
-   =
-  var _0 : bool;
-  var self_1 : Type.creusat_clause_clause;
-  var i_2 : usize;
-  var _3 : ();
-  var _4 : ();
-  var _5 : bool;
-  var _6 : usize;
-  var _7 : usize;
-  var _8 : Type.creusat_clause_clause;
-  var lit1_9 : Type.creusat_lit_lit;
-  var _10 : Type.creusat_lit_lit;
-  var _11 : Type.creusat_clause_clause;
-  var _12 : usize;
-  var j_13 : usize;
-  var _14 : ();
-  var _15 : bool;
-  var _16 : usize;
-  var _17 : usize;
-  var lit2_18 : Type.creusat_lit_lit;
-  var _19 : Type.creusat_lit_lit;
-  var _20 : Type.creusat_clause_clause;
-  var _21 : usize;
-  var _22 : ();
-  var _23 : bool;
-  var _24 : usize;
-  var _25 : Type.creusat_lit_lit;
-  var _26 : usize;
-  var _27 : Type.creusat_lit_lit;
-  var _28 : ();
-  var _29 : ();
-  var _30 : ();
-  var _31 : ();
-  var _32 : ();
-  var _33 : ();
-  var _34 : ();
-  {
-    self_1 <- self;
-    goto BB0
-  }
-  BB0 {
-    i_2 <- (0 : usize);
-    goto BB1
-  }
-  BB1 {
-    invariant no_dups { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 81 8 83 87] forall k : (int) . forall j : (int) . 0 <= j && j < UInt64.to_int i_2 && 0 <= k && k < j -> IndexLogic0.index_logic (Seq.get (Model0.model self_1) j) <> IndexLogic0.index_logic (Seq.get (Model0.model self_1) k) };
-    _6 <- i_2;
-    _8 <- self_1;
-    _7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 84 18 84 28] Len0.len _8);
-    goto BB2
-  }
-  BB2 {
-    _5 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 84 14 84 28] _6 < _7);
-    switch (_5)
-      | False -> goto BB13
-      | _ -> goto BB3
-      end
-  }
-  BB3 {
-    _11 <- self_1;
-    _12 <- i_2;
-    _10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 85 23 85 30] Index0.index _11 _12);
-    goto BB4
-  }
-  BB4 {
-    lit1_9 <- _10;
-    j_13 <- (0 : usize);
-    goto BB5
-  }
-  BB5 {
-    invariant inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 87 12 87 113] forall k : (int) . 0 <= k && k < UInt64.to_int j_13 -> IndexLogic0.index_logic lit1_9 <> IndexLogic0.index_logic (Seq.get (Model0.model self_1) k) };
-    _16 <- j_13;
-    _17 <- i_2;
-    _15 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 88 18 88 23] _16 < _17);
-    switch (_15)
-      | False -> goto BB12
-      | _ -> goto BB6
-      end
-  }
-  BB6 {
-    _20 <- self_1;
-    _21 <- j_13;
-    _19 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 89 27 89 34] Index0.index _20 _21);
-    goto BB7
-  }
-  BB7 {
-    lit2_18 <- _19;
-    _25 <- lit1_9;
-    _24 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 90 19 90 31] Index1.index _25);
-    goto BB8
-  }
-  BB8 {
-    _27 <- lit2_18;
-    _26 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 90 35 90 47] Index1.index _27);
-    goto BB9
-  }
-  BB9 {
-    _23 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 90 19 90 47] _24 = _26);
-    switch (_23)
-      | False -> goto BB11
-      | _ -> goto BB10
-      end
-  }
-  BB10 {
-    _0 <- false;
-    goto BB14
-  }
-  BB11 {
-    _22 <- ();
-    j_13 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 93 16 93 22] j_13 + (1 : usize));
-    _4 <- ();
-    goto BB5
-  }
-  BB12 {
-    _14 <- ();
-    i_2 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 95 12 95 18] i_2 + (1 : usize));
-    _4 <- ();
-    goto BB1
-  }
-  BB13 {
-    _3 <- ();
-    _0 <- true;
-    goto BB14
-  }
-  BB14 {
-    return _0
-  }
-  
 end
 module CreuSat_Clause_Impl3_CheckClauseInvariant_Interface
   use mach.int.UInt64
@@ -2557,173 +1509,29 @@ module CreuSat_Clause_Impl3_CheckClauseInvariant_Interface
   use mach.int.Int
   clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant0
   val check_clause_invariant [@cfg:stackify] (self : Type.creusat_clause_clause) (n : usize) : bool
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 61 4 61 44] result = Invariant0.invariant' self (UInt64.to_int n) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 61 4 61 44] result = Invariant0.invariant' self (UInt64.to_int n) }
     
 end
-module CreuSat_Clause_Impl3_CheckClauseInvariant
-  use mach.int.UInt64
+module CreuSat_Clause_Impl3_ClauseFromVec_Interface
   use prelude.Prelude
+  use seq.Seq
+  use Type
+  val clause_from_vec [@cfg:stackify] (vec : seq (Type.creusat_lit_lit)) : Type.creusat_clause_clause
+end
+module CreuSat_Logic_LogicLit_Impl1_LitIn_Interface
+  use Type
+  predicate lit_in (self : Type.creusat_lit_lit) (c : Type.creusat_clause_clause)
+end
+module CreuSat_Logic_LogicLit_Impl1_LitIn
   use Type
   use mach.int.Int
   use mach.int.Int32
   use seq.Seq
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant1 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant1.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant0 with function Model0.model = Model1.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Logic_LogicClause_Impl2_NoDuplicateIndexes as NoDuplicateIndexes0 with function Model0.model = Model1.model,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Clause_Impl3_NoDuplicates_Interface as NoDuplicates0 with predicate NoDuplicateIndexes0.no_duplicate_indexes = NoDuplicateIndexes0.no_duplicate_indexes
-  clone CreuSat_Lit_Impl1_CheckLitInvariant_Interface as CheckLitInvariant0 with predicate Invariant0.invariant' = Invariant1.invariant'
-  clone CreuSat_Clause_Impl0_Index_Interface as Index0 with function Model0.model = Model0.model
-  clone CreuSat_Clause_Impl3_Len_Interface as Len0 with function Model0.model = Model0.model
-  let rec cfg check_clause_invariant [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 62 4 62 58] (self : Type.creusat_clause_clause) (n : usize) : bool
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 61 4 61 44] result = Invariant0.invariant' self (UInt64.to_int n) }
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
+  predicate lit_in [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 61 4 61 42] (self : Type.creusat_lit_lit) (c : Type.creusat_clause_clause)
     
    =
-  var _0 : bool;
-  var self_1 : Type.creusat_clause_clause;
-  var n_2 : usize;
-  var i_3 : usize;
-  var _4 : ();
-  var _5 : ();
-  var _6 : bool;
-  var _7 : usize;
-  var _8 : usize;
-  var _9 : Type.creusat_clause_clause;
-  var _10 : ();
-  var _11 : bool;
-  var _12 : bool;
-  var _13 : Type.creusat_lit_lit;
-  var _14 : Type.creusat_lit_lit;
-  var _15 : Type.creusat_clause_clause;
-  var _16 : usize;
-  var _17 : usize;
-  var _18 : ();
-  var _19 : ();
-  var _20 : ();
-  var _21 : ();
-  var _22 : ();
-  var _23 : bool;
-  var _24 : Type.creusat_clause_clause;
-  var _25 : ();
-  {
-    self_1 <- self;
-    n_2 <- n;
-    goto BB0
-  }
-  BB0 {
-    i_3 <- (0 : usize);
-    goto BB1
-  }
-  BB1 {
-    invariant inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 64 8 64 87] forall j : (int) . 0 <= j && j < UInt64.to_int i_3 -> Invariant1.invariant' (Seq.get (Model0.model self_1) j) (UInt64.to_int n_2) };
-    _7 <- i_3;
-    _9 <- self_1;
-    _8 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 65 18 65 28] Len0.len _9);
-    goto BB2
-  }
-  BB2 {
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 65 14 65 28] _7 < _8);
-    switch (_6)
-      | False -> goto BB8
-      | _ -> goto BB3
-      end
-  }
-  BB3 {
-    _15 <- self_1;
-    _16 <- i_3;
-    _14 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 66 16 66 23] Index0.index _15 _16);
-    goto BB4
-  }
-  BB4 {
-    _13 <- _14;
-    _17 <- n_2;
-    _12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 66 16 66 46] CheckLitInvariant0.check_lit_invariant _13 _17);
-    goto BB5
-  }
-  BB5 {
-    _11 <- not _12;
-    switch (_11)
-      | False -> goto BB7
-      | _ -> goto BB6
-      end
-  }
-  BB6 {
-    _0 <- false;
-    goto BB12
-  }
-  BB7 {
-    _10 <- ();
-    i_3 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 69 12 69 18] i_3 + (1 : usize));
-    _5 <- ();
-    goto BB1
-  }
-  BB8 {
-    _4 <- ();
-    _24 <- self_1;
-    _23 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 71 11 71 31] NoDuplicates0.no_duplicates _24);
-    goto BB9
-  }
-  BB9 {
-    switch (_23)
-      | False -> goto BB11
-      | _ -> goto BB10
-      end
-  }
-  BB10 {
-    _0 <- true;
-    goto BB12
-  }
-  BB11 {
-    _22 <- ();
-    _0 <- false;
-    goto BB13
-  }
-  BB12 {
-    goto BB13
-  }
-  BB13 {
-    return _0
-  }
-  
-end
-module CreuSat_Clause_Impl3_ClauseFromVec_Interface
-  use prelude.Prelude
-  use seq.Seq
-  use Type
-  val clause_from_vec [@cfg:stackify] (vec : seq (Type.creusat_lit_lit)) : Type.creusat_clause_clause
-end
-module CreuSat_Clause_Impl3_ClauseFromVec
-  use prelude.Prelude
-  use seq.Seq
-  use Type
-  val clause_from_vec [@cfg:stackify] (vec : seq (Type.creusat_lit_lit)) : Type.creusat_clause_clause
-end
-module CreuSat_Logic_LogicLit_Impl1_LitIn_Interface
-  use Type
-  predicate lit_in (self : Type.creusat_lit_lit) (c : Type.creusat_clause_clause)
-end
-module CreuSat_Logic_LogicLit_Impl1_LitIn
-  use Type
-  use mach.int.Int
-  use mach.int.Int32
-  use seq.Seq
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
-  predicate lit_in [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 61 4 61 42] (self : Type.creusat_lit_lit) (c : Type.creusat_clause_clause)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 62 8 64 9] exists i : (int) . 0 <= i && i < Seq.length (Model0.model c) && Seq.get (Model0.model c) i = self
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 62 8 64 9] exists i : (int) . 0 <= i /\ i < Seq.length (Model0.model c) /\ Seq.get (Model0.model c) i = self
 end
 module CreusotContracts_Std1_Slice_Impl0_Model_Interface
   type t
@@ -2754,19 +1562,6 @@ module Alloc_Vec_Impl11_DerefMut_Interface
     ensures { Model0.model ( * result) = Model1.model ( * self) }
     ensures { Model0.model ( ^ result) = Model1.model ( ^ self) }
     
-end
-module Alloc_Vec_Impl11_DerefMut
-  type t
-  type a
-  use prelude.Prelude
-  use Type
-  use seq.Seq
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = t, type a = a, axiom .
-  clone CreusotContracts_Std1_Slice_Impl0_Model_Interface as Model0 with type t = t, axiom .
-  val deref_mut [@cfg:stackify] (self : borrowed (Type.alloc_vec_vec t a)) : borrowed (seq t)
-    ensures { Model0.model ( * result) = Model1.model ( * self) }
-    ensures { Model0.model ( ^ result) = Model1.model ( ^ self) }
-    
 end
 module Core_Slice_Impl0_Swap_Interface
   type t
@@ -2775,25 +1570,8 @@ module Core_Slice_Impl0_Swap_Interface
   use mach.int.Int
   use seq.Permut
   use prelude.Prelude
-  clone CreusotContracts_Std1_Slice_Impl0_Model_Interface as Model1 with type t = t, axiom .
   clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = t
-  clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model0 with type t = seq t,
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  val swap [@cfg:stackify] (self : borrowed (seq t)) (a : usize) (b : usize) : ()
-    requires {UInt64.to_int a < Seq.length (Model0.model self)}
-    requires {UInt64.to_int b < Seq.length (Model0.model self)}
-    ensures { Permut.exchange (Model1.model ( ^ self)) (Model1.model ( * self)) (UInt64.to_int a) (UInt64.to_int b) }
-    
-end
-module Core_Slice_Impl0_Swap
-  type t
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use seq.Permut
-  use prelude.Prelude
   clone CreusotContracts_Std1_Slice_Impl0_Model_Interface as Model1 with type t = t, axiom .
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = t
   clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model0 with type t = seq t,
   type ModelTy0.modelTy = ModelTy0.modelTy
   val swap [@cfg:stackify] (self : borrowed (seq t)) (a : usize) (b : usize) : ()
@@ -2813,115 +1591,22 @@ module CreuSat_Clause_Impl3_MoveToEnd_Interface
   use mach.int.Int32
   use prelude.Prelude
   use Type
+  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
   clone CreuSat_Logic_LogicLit_Impl1_LitIn_Interface as LitIn0
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
   clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type ModelTy0.modelTy = ModelTy0.modelTy
   clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant0
   val move_to_end [@cfg:stackify] (self : borrowed (Type.creusat_clause_clause)) (idx : usize) (_f : Type.creusat_formula_formula) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 117 4 117 52] Invariant0.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 118 4 118 34] Seq.length (Model0.model self) > 0}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 119 4 119 37] UInt64.to_int idx < Seq.length (Model0.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 117 4 117 52] Invariant0.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 120 4 121 85] forall i : (int) . 0 <= i && i < Seq.length (Model1.model ( ^ self)) -> (exists j : (int) . 0 <= j && j < Seq.length (Model0.model self) && Seq.get (Model1.model ( ^ self)) i = Seq.get (Model0.model self) j) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 122 4 122 63] Seq.get (Model1.model ( ^ self)) (Seq.length (Model1.model ( ^ self)) - 1) = Seq.get (Model0.model self) (UInt64.to_int idx) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 123 4 123 49] Seq.length (Model1.model ( ^ self)) = Seq.length (Model0.model self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 124 4 125 38] forall j : (int) . 0 <= j && j < Seq.length (Model0.model self) -> LitIn0.lit_in (Seq.get (Model0.model self) j) ( ^ self) }
-    
-end
-module CreuSat_Clause_Impl3_MoveToEnd
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  use Type
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant1 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant1.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicLit_Impl1_LitIn as LitIn0 with function Model0.model = Model1.model
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant0 with function Model0.model = Model1.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model0 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = seq (Type.creusat_lit_lit)
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = Type.creusat_lit_lit
-  clone CreusotContracts_Std1_Slice_Impl0_Model as Model4 with type t = Type.creusat_lit_lit, axiom .
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model5 with type t = seq (Type.creusat_lit_lit),
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model4.model
-  clone Core_Slice_Impl0_Swap_Interface as Swap0 with type t = Type.creusat_lit_lit,
-  function Model0.model = Model5.model, function Model1.model = Model4.model
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_clause_clause
-  clone Alloc_Vec_Impl11_DerefMut_Interface as DerefMut0 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, function Model0.model = Model4.model, function Model1.model = Model2.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model3 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Clause_Impl3_Len_Interface as Len0 with function Model0.model = Model3.model
-  let rec cfg move_to_end [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 126 4 126 55] (self : borrowed (Type.creusat_clause_clause)) (idx : usize) (_f : Type.creusat_formula_formula) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 117 4 117 52] Invariant0.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 118 4 118 34] Seq.length (Model0.model self) > 0}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 119 4 119 37] UInt64.to_int idx < Seq.length (Model0.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 117 4 117 52] Invariant0.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 120 4 121 85] forall i : (int) . 0 <= i && i < Seq.length (Model1.model ( ^ self)) -> (exists j : (int) . 0 <= j && j < Seq.length (Model0.model self) && Seq.get (Model1.model ( ^ self)) i = Seq.get (Model0.model self) j) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 122 4 122 63] Seq.get (Model1.model ( ^ self)) (Seq.length (Model1.model ( ^ self)) - 1) = Seq.get (Model0.model self) (UInt64.to_int idx) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 123 4 123 49] Seq.length (Model1.model ( ^ self)) = Seq.length (Model0.model self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 124 4 125 38] forall j : (int) . 0 <= j && j < Seq.length (Model0.model self) -> LitIn0.lit_in (Seq.get (Model0.model self) j) ( ^ self) }
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 117 4 117 52] Invariant0.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 118 4 118 34] Seq.length (Model0.model self) > 0}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 119 4 119 37] UInt64.to_int idx < Seq.length (Model0.model self)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 117 4 117 52] Invariant0.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 120 4 121 85] forall i : (int) . 0 <= i /\ i < Seq.length (Model1.model ( ^ self)) -> (exists j : (int) . 0 <= j /\ j < Seq.length (Model0.model self) /\ Seq.get (Model1.model ( ^ self)) i = Seq.get (Model0.model self) j) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 122 4 122 63] Seq.get (Model1.model ( ^ self)) (Seq.length (Model1.model ( ^ self)) - 1) = Seq.get (Model0.model self) (UInt64.to_int idx) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 123 4 123 49] Seq.length (Model1.model ( ^ self)) = Seq.length (Model0.model self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 124 4 125 38] forall j : (int) . 0 <= j /\ j < Seq.length (Model0.model self) -> LitIn0.lit_in (Seq.get (Model0.model self) j) ( ^ self) }
     
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_clause_clause);
-  var idx_2 : usize;
-  var _f_3 : Type.creusat_formula_formula;
-  var end'_4 : usize;
-  var _5 : usize;
-  var _6 : Type.creusat_clause_clause;
-  var _7 : ();
-  var _8 : borrowed (seq (Type.creusat_lit_lit));
-  var _9 : borrowed (seq (Type.creusat_lit_lit));
-  var _10 : borrowed (Type.alloc_vec_vec (Type.creusat_lit_lit) (Type.alloc_alloc_global));
-  var _11 : usize;
-  var _12 : usize;
-  {
-    self_1 <- self;
-    idx_2 <- idx;
-    _f_3 <- _f;
-    goto BB0
-  }
-  BB0 {
-    _6 <-  * self_1;
-    _5 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 127 18 127 28] Len0.len _6);
-    goto BB1
-  }
-  BB1 {
-    end'_4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 127 18 127 32] _5 - (1 : usize));
-    _10 <- borrow_mut (Type.creusat_clause_clause_Clause_lits ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Clause_Clause a b c d =  * self_1 in Type.CreuSat_Clause_Clause a b c ( ^ _10)) };
-    assume { Resolve0.resolve self_1 };
-    _9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 128 8 128 32] DerefMut0.deref_mut _10);
-    goto BB2
-  }
-  BB2 {
-    _8 <- borrow_mut ( * _9);
-    _9 <- { _9 with current = ( ^ _8) };
-    _11 <- idx_2;
-    _12 <- end'_4;
-    _7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 128 8 128 32] Swap0.swap _8 _11 _12);
-    goto BB3
-  }
-  BB3 {
-    assume { Resolve1.resolve _9 };
-    _0 <- ();
-    return _0
-  }
-  
 end
 module Alloc_Vec_Impl1_Pop_Interface
   type t
@@ -2935,25 +1620,8 @@ module Alloc_Vec_Impl1_Pop_Interface
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = t, type a = a, axiom .
   val pop [@cfg:stackify] (self : borrowed (Type.alloc_vec_vec t a)) : Type.core_option_option t
     ensures { match (result) with
-      | Type.Core_Option_Option_Some t -> Model0.model ( ^ self) = SeqExt.subsequence (Model0.model ( * self)) 0 (Seq.length (Model0.model ( * self)) - 1) && Model0.model ( * self) = Seq.snoc (Model0.model ( ^ self)) t
-      | Type.Core_Option_Option_None ->  * self =  ^ self && Seq.length (Model0.model ( * self)) = 0
-      end }
-    
-end
-module Alloc_Vec_Impl1_Pop
-  type t
-  type a
-  use Type
-  use mach.int.Int
-  use mach.int.Int32
-  use seq.Seq
-  use seq_ext.SeqExt
-  use prelude.Prelude
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = t, type a = a, axiom .
-  val pop [@cfg:stackify] (self : borrowed (Type.alloc_vec_vec t a)) : Type.core_option_option t
-    ensures { match (result) with
-      | Type.Core_Option_Option_Some t -> Model0.model ( ^ self) = SeqExt.subsequence (Model0.model ( * self)) 0 (Seq.length (Model0.model ( * self)) - 1) && Model0.model ( * self) = Seq.snoc (Model0.model ( ^ self)) t
-      | Type.Core_Option_Option_None ->  * self =  ^ self && Seq.length (Model0.model ( * self)) = 0
+      | Type.Core_Option_Option_Some t -> Model0.model ( ^ self) = SeqExt.subsequence (Model0.model ( * self)) 0 (Seq.length (Model0.model ( * self)) - 1) /\ Model0.model ( * self) = Seq.snoc (Model0.model ( ^ self)) t
+      | Type.Core_Option_Option_None ->  * self =  ^ self /\ Seq.length (Model0.model ( * self)) = 0
       end }
     
 end
@@ -2964,97 +1632,22 @@ module CreuSat_Clause_Impl3_RemoveFromClause_Interface
   use mach.int.Int32
   use prelude.Prelude
   use Type
+  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
   clone CreuSat_Logic_LogicLit_Impl1_LitIn_Interface as LitIn0
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
   clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type ModelTy0.modelTy = ModelTy0.modelTy
   clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant0
   val remove_from_clause [@cfg:stackify] (self : borrowed (Type.creusat_clause_clause)) (idx : usize) (_f : Type.creusat_formula_formula) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 134 4 134 52] Invariant0.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 135 4 135 34] Seq.length (Model0.model self) > 0}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 136 4 136 37] UInt64.to_int idx < Seq.length (Model0.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 134 4 134 52] Invariant0.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 137 4 138 83] forall i : (int) . 0 <= i && i < Seq.length (Model1.model ( ^ self)) -> (exists j : (int) . 0 <= j && j < Seq.length (Model0.model self) && Seq.get (Model1.model ( ^ self)) i = Seq.get (Model0.model self) j) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 139 4 139 53] Seq.length (Model1.model ( ^ self)) + 1 = Seq.length (Model0.model self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 140 4 140 44] not LitIn0.lit_in (Seq.get (Model0.model self) (UInt64.to_int idx)) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 141 4 142 51] forall j : (int) . 0 <= j && j < Seq.length (Model0.model self) && j <> UInt64.to_int idx -> LitIn0.lit_in (Seq.get (Model0.model self) j) ( ^ self) }
-    
-end
-module CreuSat_Clause_Impl3_RemoveFromClause
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  use Type
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant1 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant1.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicLit_Impl1_LitIn as LitIn0 with function Model0.model = Model1.model
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant0 with function Model0.model = Model1.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model0 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_clause_clause
-  clone Alloc_Vec_Impl1_Pop_Interface as Pop0 with type t = Type.creusat_lit_lit, type a = Type.alloc_alloc_global,
-  function Model0.model = Model2.model
-  clone CreuSat_Clause_Impl3_MoveToEnd_Interface as MoveToEnd0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  function Model0.model = Model0.model, function Model1.model = Model1.model, predicate LitIn0.lit_in = LitIn0.lit_in
-  let rec cfg remove_from_clause [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 143 4 143 66] (self : borrowed (Type.creusat_clause_clause)) (idx : usize) (_f : Type.creusat_formula_formula) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 134 4 134 52] Invariant0.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 135 4 135 34] Seq.length (Model0.model self) > 0}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 136 4 136 37] UInt64.to_int idx < Seq.length (Model0.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 134 4 134 52] Invariant0.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 137 4 138 83] forall i : (int) . 0 <= i && i < Seq.length (Model1.model ( ^ self)) -> (exists j : (int) . 0 <= j && j < Seq.length (Model0.model self) && Seq.get (Model1.model ( ^ self)) i = Seq.get (Model0.model self) j) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 139 4 139 53] Seq.length (Model1.model ( ^ self)) + 1 = Seq.length (Model0.model self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 140 4 140 44] not LitIn0.lit_in (Seq.get (Model0.model self) (UInt64.to_int idx)) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 141 4 142 51] forall j : (int) . 0 <= j && j < Seq.length (Model0.model self) && j <> UInt64.to_int idx -> LitIn0.lit_in (Seq.get (Model0.model self) j) ( ^ self) }
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 134 4 134 52] Invariant0.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 135 4 135 34] Seq.length (Model0.model self) > 0}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 136 4 136 37] UInt64.to_int idx < Seq.length (Model0.model self)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 134 4 134 52] Invariant0.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 137 4 138 83] forall i : (int) . 0 <= i /\ i < Seq.length (Model1.model ( ^ self)) -> (exists j : (int) . 0 <= j /\ j < Seq.length (Model0.model self) /\ Seq.get (Model1.model ( ^ self)) i = Seq.get (Model0.model self) j) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 139 4 139 53] Seq.length (Model1.model ( ^ self)) + 1 = Seq.length (Model0.model self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 140 4 140 44] not LitIn0.lit_in (Seq.get (Model0.model self) (UInt64.to_int idx)) ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 141 4 142 51] forall j : (int) . 0 <= j /\ j < Seq.length (Model0.model self) /\ j <> UInt64.to_int idx -> LitIn0.lit_in (Seq.get (Model0.model self) j) ( ^ self) }
     
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_clause_clause);
-  var idx_2 : usize;
-  var _f_3 : Type.creusat_formula_formula;
-  var _4 : ();
-  var _5 : borrowed (Type.creusat_clause_clause);
-  var _6 : usize;
-  var _7 : Type.creusat_formula_formula;
-  var _8 : Type.core_option_option (Type.creusat_lit_lit);
-  var _9 : borrowed (Type.alloc_vec_vec (Type.creusat_lit_lit) (Type.alloc_alloc_global));
-  {
-    self_1 <- self;
-    idx_2 <- idx;
-    _f_3 <- _f;
-    goto BB0
-  }
-  BB0 {
-    _5 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _5) };
-    _6 <- idx_2;
-    _7 <- _f_3;
-    _4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 144 8 144 33] MoveToEnd0.move_to_end _5 _6 _7);
-    goto BB1
-  }
-  BB1 {
-    _9 <- borrow_mut (Type.creusat_clause_clause_Clause_lits ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Clause_Clause a b c d =  * self_1 in Type.CreuSat_Clause_Clause a b c ( ^ _9)) };
-    _8 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 145 8 145 23] Pop0.pop _9);
-    goto BB2
-  }
-  BB2 {
-    assume { Resolve0.resolve self_1 };
-    _0 <- ();
-    return _0
-  }
-  
 end
 module CreuSat_Logic_LogicClause_Impl2_VarsInRange_Interface
   use Type
@@ -3066,10 +1659,10 @@ module CreuSat_Logic_LogicClause_Impl2_VarsInRange
   use mach.int.Int
   clone CreuSat_Logic_LogicClause_VarsInRangeInner_Interface as VarsInRangeInner0
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
-  predicate vars_in_range [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 178 4 178 46] (self : Type.creusat_clause_clause) (n : int)
+  predicate vars_in_range [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 178 4 178 46] (self : Type.creusat_clause_clause) (n : int)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 179 8 179 51] VarsInRangeInner0.vars_in_range_inner (Model0.model self) n
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 179 8 179 51] VarsInRangeInner0.vars_in_range_inner (Model0.model self) n
 end
 module CreuSat_Logic_LogicClause_Impl2_SatInner_Interface
   use Type
@@ -3088,10 +1681,10 @@ module CreuSat_Logic_LogicClause_Impl2_SatInner
   use mach.int.Int32
   clone CreuSat_Logic_LogicLit_Impl1_SatInner_Interface as SatInner0
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
-  predicate sat_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 158 4 158 57] (self : Type.creusat_clause_clause) (a : Seq.seq uint8)
+  predicate sat_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 158 4 158 57] (self : Type.creusat_clause_clause) (a : Seq.seq uint8)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 159 8 162 9] exists i : (int) . 0 <= i && i < Seq.length (Model0.model self) && SatInner0.sat_inner (Seq.get (Model0.model self) i) a
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 159 8 162 9] exists i : (int) . 0 <= i /\ i < Seq.length (Model0.model self) /\ SatInner0.sat_inner (Seq.get (Model0.model self) i) a
 end
 module CreuSat_Logic_LogicLit_Impl1_UnsetInner_Interface
   use Type
@@ -3109,10 +1702,10 @@ module CreuSat_Logic_LogicLit_Impl1_UnsetInner
   use prelude.UInt8
   use mach.int.Int32
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  predicate unset_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 101 4 101 59] (self : Type.creusat_lit_lit) (a : Seq.seq uint8)
+  predicate unset_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 101 4 101 59] (self : Type.creusat_lit_lit) (a : Seq.seq uint8)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 102 8 102 51] UInt8.to_int (Seq.get a (IndexLogic0.index_logic self)) >= 2
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 102 8 102 51] UInt8.to_int (Seq.get a (IndexLogic0.index_logic self)) >= 2
 end
 module CreuSat_Logic_LogicClause_Impl2_UnitInner_Interface
   use Type
@@ -3133,10 +1726,10 @@ module CreuSat_Logic_LogicClause_Impl2_UnitInner
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
   clone CreuSat_Logic_LogicClause_Impl2_SatInner_Interface as SatInner0
   clone CreuSat_Logic_LogicClause_Impl2_VarsInRange_Interface as VarsInRange0
-  predicate unit_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 129 4 129 54] (self : Type.creusat_clause_clause) (a : Seq.seq uint8)
+  predicate unit_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 129 4 129 54] (self : Type.creusat_clause_clause) (a : Seq.seq uint8)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 130 8 137 9] VarsInRange0.vars_in_range self (Seq.length a) && not SatInner0.sat_inner self a && (exists i : (int) . 0 <= i && i < Seq.length (Model0.model self) && UnsetInner0.unset_inner (Seq.get (Model0.model self) i) a && (forall j : (int) . 0 <= j && j < Seq.length (Model0.model self) && j <> i -> not UnsetInner0.unset_inner (Seq.get (Model0.model self) j) a))
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 130 8 137 9] VarsInRange0.vars_in_range self (Seq.length a) /\ not SatInner0.sat_inner self a /\ (exists i : (int) . 0 <= i /\ i < Seq.length (Model0.model self) /\ UnsetInner0.unset_inner (Seq.get (Model0.model self) i) a /\ (forall j : (int) . 0 <= j /\ j < Seq.length (Model0.model self) /\ j <> i -> not UnsetInner0.unset_inner (Seq.get (Model0.model self) j) a))
 end
 module CreuSat_Logic_LogicClause_Impl2_Unit_Interface
   use Type
@@ -3146,10 +1739,10 @@ module CreuSat_Logic_LogicClause_Impl2_Unit
   use Type
   clone CreuSat_Logic_LogicClause_Impl2_UnitInner_Interface as UnitInner0
   clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
-  predicate unit [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 140 4 140 45] (self : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments)
+  predicate unit [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 140 4 140 45] (self : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 141 8 141 41] UnitInner0.unit_inner self (Model0.model a)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 141 8 141 41] UnitInner0.unit_inner self (Model0.model a)
 end
 module CreuSat_Logic_LogicLit_Impl1_Unset_Interface
   use Type
@@ -3159,10 +1752,10 @@ module CreuSat_Logic_LogicLit_Impl1_Unset
   use Type
   clone CreuSat_Logic_LogicLit_Impl1_UnsetInner_Interface as UnsetInner0
   clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
-  predicate unset [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 111 4 111 46] (self : Type.creusat_lit_lit) (a : Type.creusat_assignments_assignments)
+  predicate unset [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 111 4 111 46] (self : Type.creusat_lit_lit) (a : Type.creusat_assignments_assignments)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 112 8 112 42] UnsetInner0.unset_inner self (Model0.model a)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 112 8 112 42] UnsetInner0.unset_inner self (Model0.model a)
 end
 module CreuSat_Logic_LogicLit_Impl1_Unsat_Interface
   use Type
@@ -3172,10 +1765,10 @@ module CreuSat_Logic_LogicLit_Impl1_Unsat
   use Type
   clone CreuSat_Logic_LogicLit_Impl1_UnsatInner_Interface as UnsatInner0
   clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
-  predicate unsat [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 116 4 116 46] (self : Type.creusat_lit_lit) (a : Type.creusat_assignments_assignments)
+  predicate unsat [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 116 4 116 46] (self : Type.creusat_lit_lit) (a : Type.creusat_assignments_assignments)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 117 8 117 42] UnsatInner0.unsat_inner self (Model0.model a)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 117 8 117 42] UnsatInner0.unsat_inner self (Model0.model a)
 end
 module CreuSat_Assignments_Impl0_Output
   use mach.int.Int
@@ -3195,8 +1788,8 @@ module CreuSat_Assignments_Impl0
   clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
   clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_assignments_assignments,
   type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Assignments_Impl0_Index_Interface as Index0 with function Model0.model = Model0.model
   clone CreuSat_Assignments_Impl0_Output as Output0
+  clone CreuSat_Assignments_Impl0_Index_Interface as Index0 with function Model0.model = Model0.model
   clone Core_Ops_Index_Index_Index_Interface as Index1 with type self = Type.creusat_assignments_assignments,
   type idx = usize, val index = Index0.index, type Output0.output = Output0.output
   clone Core_Ops_Index_Index_Output as Output1 with type self = Type.creusat_assignments_assignments, type idx = usize,
@@ -3206,357 +1799,51 @@ module CreuSat_Lit_Impl1_LitUnsat_Interface
   use seq.Seq
   use Type
   use prelude.Prelude
+  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
   clone CreuSat_Logic_LogicLit_Impl1_Unsat_Interface as Unsat0
   clone CreuSat_Logic_LogicLit_Impl1_Invariant_Interface as Invariant0
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
   clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_assignments_assignments,
   type ModelTy0.modelTy = ModelTy0.modelTy
   val lit_unsat [@cfg:stackify] (self : Type.creusat_lit_lit) (a : Type.creusat_assignments_assignments) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 62 4 62 43] Invariant0.invariant' self (Seq.length (Model0.model a))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 63 4 63 40] result = Unsat0.unsat self a }
-    
-end
-module CreuSat_Lit_Impl1_LitUnsat
-  use seq.Seq
-  use Type
-  use prelude.Prelude
-  use mach.int.Int
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model1 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Unsat as Unsat0 with function Model0.model = Model1.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  use mach.int.UInt64
-  clone CreuSat_Lit_Impl1_IsPositive_Interface as IsPositive0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Lit_Impl1_Index_Interface as Index0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Assignments_Impl0_Index_Interface as Index1 with function Model0.model = Model0.model
-  let rec cfg lit_unsat [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 64 4 64 51] (self : Type.creusat_lit_lit) (a : Type.creusat_assignments_assignments) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 62 4 62 43] Invariant0.invariant' self (Seq.length (Model0.model a))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 63 4 63 40] result = Unsat0.unsat self a }
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 62 4 62 43] Invariant0.invariant' self (Seq.length (Model0.model a))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 63 4 63 40] result = Unsat0.unsat self a }
     
-   =
-  var _0 : bool;
-  var self_1 : Type.creusat_lit_lit;
-  var a_2 : Type.creusat_assignments_assignments;
-  var _3 : bool;
-  var _4 : Type.creusat_lit_lit;
-  var _5 : uint8;
-  var _6 : uint8;
-  var _7 : Type.creusat_assignments_assignments;
-  var _8 : usize;
-  var _9 : Type.creusat_lit_lit;
-  var _10 : uint8;
-  var _11 : uint8;
-  var _12 : Type.creusat_assignments_assignments;
-  var _13 : usize;
-  var _14 : Type.creusat_lit_lit;
-  {
-    self_1 <- self;
-    a_2 <- a;
-    goto BB0
-  }
-  BB0 {
-    _4 <- self_1;
-    _3 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 65 14 65 32] IsPositive0.is_positive _4);
-    goto BB1
-  }
-  BB1 {
-    switch (_3)
-      | False -> goto BB2
-      | _ -> goto BB3
-      end
-  }
-  BB2 {
-    _12 <- a_2;
-    _14 <- self_1;
-    _13 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 67 24 67 36] Index0.index _14);
-    goto BB6
-  }
-  BB3 {
-    _7 <- a_2;
-    _9 <- self_1;
-    _8 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 66 23 66 35] Index0.index _9);
-    goto BB4
-  }
-  BB4 {
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 66 21 66 36] Index1.index _7 _8);
-    goto BB5
-  }
-  BB5 {
-    _5 <- _6;
-    _0 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 66 20 66 42] _5 = (0 : uint8));
-    goto BB8
-  }
-  BB6 {
-    _11 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 67 22 67 37] Index1.index _12 _13);
-    goto BB7
-  }
-  BB7 {
-    _10 <- _11;
-    _0 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 67 21 67 43] _10 = (1 : uint8));
-    goto BB8
-  }
-  BB8 {
-    return _0
-  }
-  
 end
 module CreuSat_Lit_Impl1_LitUnset_Interface
   use seq.Seq
   use Type
   use prelude.Prelude
+  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
   clone CreuSat_Logic_LogicLit_Impl1_Unset_Interface as Unset0
   clone CreuSat_Logic_LogicLit_Impl1_Invariant_Interface as Invariant0
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
   clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_assignments_assignments,
   type ModelTy0.modelTy = ModelTy0.modelTy
   val lit_unset [@cfg:stackify] (self : Type.creusat_lit_lit) (a : Type.creusat_assignments_assignments) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 73 4 73 43] Invariant0.invariant' self (Seq.length (Model0.model a))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 74 4 74 40] result = Unset0.unset self a }
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 73 4 73 43] Invariant0.invariant' self (Seq.length (Model0.model a))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 74 4 74 40] result = Unset0.unset self a }
     
 end
-module CreuSat_Lit_Impl1_LitUnset
-  use seq.Seq
-  use Type
-  use prelude.Prelude
-  use mach.int.Int
-  use prelude.UInt8
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model1 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsetInner as UnsetInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Unset as Unset0 with function Model0.model = Model1.model,
-  predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  use mach.int.UInt64
-  clone CreuSat_Lit_Impl1_Index_Interface as Index0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Assignments_Impl0_Index_Interface as Index1 with function Model0.model = Model0.model
-  let rec cfg lit_unset [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 75 4 75 51] (self : Type.creusat_lit_lit) (a : Type.creusat_assignments_assignments) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 73 4 73 43] Invariant0.invariant' self (Seq.length (Model0.model a))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 74 4 74 40] result = Unset0.unset self a }
-    
-   =
-  var _0 : bool;
-  var self_1 : Type.creusat_lit_lit;
-  var a_2 : Type.creusat_assignments_assignments;
-  var _3 : uint8;
-  var _4 : uint8;
-  var _5 : Type.creusat_assignments_assignments;
-  var _6 : usize;
-  var _7 : Type.creusat_lit_lit;
-  {
-    self_1 <- self;
-    a_2 <- a;
-    goto BB0
-  }
-  BB0 {
-    _5 <- a_2;
-    _7 <- self_1;
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 76 10 76 22] Index0.index _7);
-    goto BB1
-  }
-  BB1 {
-    _4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 76 8 76 23] Index1.index _5 _6);
-    goto BB2
-  }
-  BB2 {
-    _3 <- _4;
-    _0 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 76 8 76 28] _3 >= (2 : uint8));
-    return _0
-  }
-  
-end
-module CreuSat_Clause_Impl3_UnitAndUnset_Interface
-  use mach.int.UInt64
+module CreuSat_Clause_Impl3_UnitAndUnset_Interface
+  use mach.int.UInt64
   use seq.Seq
   use mach.int.Int
   use mach.int.Int32
   use prelude.Prelude
   use Type
+  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
   clone CreuSat_Logic_LogicLit_Impl1_Unset_Interface as Unset0
   clone CreuSat_Logic_LogicClause_Impl2_Unit_Interface as Unit0
   clone CreuSat_Logic_LogicAssignments_Impl1_Invariant_Interface as Invariant0
   clone CreuSat_Logic_LogicClause_InvariantInternal_Interface as InvariantInternal0
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
   clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type ModelTy0.modelTy = ModelTy0.modelTy
   val unit_and_unset [@cfg:stackify] (self : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments) (_f : Type.creusat_formula_formula) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 150 4 150 56] InvariantInternal0.invariant_internal (Model0.model self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 151 4 151 33] Invariant0.invariant' a _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 152 4 152 34] Seq.length (Model0.model self) > 1}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 153 4 153 40] result -> Unit0.unit self a }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 154 4 154 47] result -> Unset0.unset (Seq.get (Model0.model self) 0) a }
-    
-end
-module CreuSat_Clause_Impl3_UnitAndUnset
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model2 with function Model0.model = Model4.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant0 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant1 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant1.invariant'
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Unsat as Unsat0 with function Model0.model = Model2.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_UnsetInner as UnsetInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Unset as Unset0 with function Model0.model = Model2.model,
-  predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model3.model
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner0 with function Model0.model = Model1.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_VarsInRange as VarsInRange0 with function Model0.model = Model1.model,
-  predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner
-  clone CreuSat_Logic_LogicClause_Impl2_UnitInner as UnitInner0 with predicate VarsInRange0.vars_in_range = VarsInRange0.vars_in_range,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner, function Model0.model = Model1.model,
-  predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Unit as Unit0 with function Model0.model = Model2.model,
-  predicate UnitInner0.unit_inner = UnitInner0.unit_inner
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy1
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model5 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model2.model
-  clone CreuSat_Lit_Impl1_LitUnsat_Interface as LitUnsat0 with function Model0.model = Model5.model,
-  predicate Invariant0.invariant' = Invariant1.invariant', predicate Unsat0.unsat = Unsat0.unsat
-  clone CreuSat_Lit_Impl1_LitUnset_Interface as LitUnset0 with function Model0.model = Model5.model,
-  predicate Invariant0.invariant' = Invariant1.invariant', predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Clause_Impl0_Index_Interface as Index0 with function Model0.model = Model0.model
-  clone CreuSat_Clause_Impl3_Len_Interface as Len0 with function Model0.model = Model0.model
-  let rec cfg unit_and_unset [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 155 4 155 71] (self : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments) (_f : Type.creusat_formula_formula) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 150 4 150 56] InvariantInternal0.invariant_internal (Model0.model self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 151 4 151 33] Invariant0.invariant' a _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 152 4 152 34] Seq.length (Model0.model self) > 1}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 153 4 153 40] result -> Unit0.unit self a }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 154 4 154 47] result -> Unset0.unset (Seq.get (Model0.model self) 0) a }
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 150 4 150 56] InvariantInternal0.invariant_internal (Model0.model self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 151 4 151 33] Invariant0.invariant' a _f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 152 4 152 34] Seq.length (Model0.model self) > 1}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 153 4 153 40] result -> Unit0.unit self a }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 154 4 154 47] result -> Unset0.unset (Seq.get (Model0.model self) 0) a }
     
-   =
-  var _0 : bool;
-  var self_1 : Type.creusat_clause_clause;
-  var a_2 : Type.creusat_assignments_assignments;
-  var _f_3 : Type.creusat_formula_formula;
-  var i_4 : usize;
-  var _5 : ();
-  var _6 : ();
-  var _7 : bool;
-  var _8 : usize;
-  var _9 : usize;
-  var _10 : Type.creusat_clause_clause;
-  var _11 : ();
-  var _12 : bool;
-  var _13 : bool;
-  var _14 : Type.creusat_lit_lit;
-  var _15 : Type.creusat_lit_lit;
-  var _16 : Type.creusat_clause_clause;
-  var _17 : usize;
-  var _18 : Type.creusat_assignments_assignments;
-  var _19 : ();
-  var _20 : ();
-  var _21 : ();
-  var _22 : ();
-  var _23 : Type.creusat_lit_lit;
-  var _24 : Type.creusat_lit_lit;
-  var _25 : Type.creusat_clause_clause;
-  var _26 : Type.creusat_assignments_assignments;
-  {
-    self_1 <- self;
-    a_2 <- a;
-    _f_3 <- _f;
-    goto BB0
-  }
-  BB0 {
-    i_4 <- (1 : usize);
-    goto BB1
-  }
-  BB1 {
-    invariant unsat { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 157 8 157 85] forall j : (int) . 1 <= j && j < UInt64.to_int i_4 -> Unsat0.unsat (Seq.get (Model0.model self_1) j) a_2 };
-    _8 <- i_4;
-    _10 <- self_1;
-    _9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 158 18 158 28] Len0.len _10);
-    goto BB2
-  }
-  BB2 {
-    _7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 158 14 158 28] _8 < _9);
-    switch (_7)
-      | False -> goto BB8
-      | _ -> goto BB3
-      end
-  }
-  BB3 {
-    _16 <- self_1;
-    _17 <- i_4;
-    _15 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 159 16 159 23] Index0.index _16 _17);
-    goto BB4
-  }
-  BB4 {
-    _14 <- _15;
-    _18 <- a_2;
-    _13 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 159 16 159 36] LitUnsat0.lit_unsat _14 _18);
-    goto BB5
-  }
-  BB5 {
-    _12 <- not _13;
-    switch (_12)
-      | False -> goto BB7
-      | _ -> goto BB6
-      end
-  }
-  BB6 {
-    _0 <- false;
-    goto BB11
-  }
-  BB7 {
-    _11 <- ();
-    i_4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 162 12 162 18] i_4 + (1 : usize));
-    _6 <- ();
-    goto BB1
-  }
-  BB8 {
-    _5 <- ();
-    _25 <- self_1;
-    _24 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 164 8 164 15] Index0.index _25 (0 : usize));
-    goto BB9
-  }
-  BB9 {
-    _23 <- _24;
-    _26 <- a_2;
-    _0 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 164 8 164 28] LitUnset0.lit_unset _23 _26);
-    goto BB10
-  }
-  BB10 {
-    goto BB11
-  }
-  BB11 {
-    return _0
-  }
-  
 end
 module CreuSat_Logic_LogicAssignments_CompleteInner_Interface
   use seq.Seq
@@ -3572,10 +1859,10 @@ module CreuSat_Logic_LogicAssignments_CompleteInner
   use prelude.UInt8
   use mach.int.Int32
   clone CreuSat_Logic_Logic_Unset_Interface as Unset0
-  predicate complete_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_assignments.rs" 33 0 33 52] (a : Seq.seq uint8)
+  predicate complete_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_assignments.rs" 33 0 33 52] (a : Seq.seq uint8)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_assignments.rs" 34 4 36 5] forall i : (int) . 0 <= i && i < Seq.length a -> not Unset0.unset (Seq.get a i)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_assignments.rs" 34 4 36 5] forall i : (int) . 0 <= i /\ i < Seq.length a -> not Unset0.unset (Seq.get a i)
 end
 module CreuSat_Logic_LogicFormula_FormulaSatInner_Interface
   use seq.Seq
@@ -3593,10 +1880,10 @@ module CreuSat_Logic_LogicFormula_FormulaSatInner
   use prelude.UInt8
   use mach.int.Int32
   clone CreuSat_Logic_LogicClause_Impl2_SatInner_Interface as SatInner0
-  predicate formula_sat_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 32 0 32 78] (f : (Seq.seq (Type.creusat_clause_clause), int)) (a : Seq.seq uint8)
+  predicate formula_sat_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 39 0 39 78] (f : (Seq.seq (Type.creusat_clause_clause), int)) (a : Seq.seq uint8)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 33 4 36 5] forall i : (int) . 0 <= i && i < Seq.length (let (a, _) = f in a) -> SatInner0.sat_inner (Seq.get (let (a, _) = f in a) i) a
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 40 4 43 5] forall i : (int) . 0 <= i /\ i < Seq.length (let (a, _) = f in a) -> SatInner0.sat_inner (Seq.get (let (a, _) = f in a) i) a
 end
 module CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss_Interface
   use seq.Seq
@@ -3612,10 +1899,10 @@ module CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss
   use prelude.UInt8
   clone CreuSat_Logic_LogicFormula_FormulaSatInner_Interface as FormulaSatInner0
   clone CreuSat_Logic_LogicAssignments_CompleteInner_Interface as CompleteInner0
-  predicate eventually_sat_complete_no_ass [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 40 0 40 68] (f : (Seq.seq (Type.creusat_clause_clause), int))
+  predicate eventually_sat_complete_no_ass [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 47 0 47 68] (f : (Seq.seq (Type.creusat_clause_clause), int))
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 41 4 43 5] exists a2 : (Seq.seq uint8) . Seq.length a2 = (let (_, a) = f in a) && CompleteInner0.complete_inner a2 && FormulaSatInner0.formula_sat_inner f a2
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 48 4 50 5] exists a2 : (Seq.seq uint8) . Seq.length a2 = (let (_, a) = f in a) /\ CompleteInner0.complete_inner a2 /\ FormulaSatInner0.formula_sat_inner f a2
 end
 module CreuSat_Logic_LogicClause_EquisatExtensionInner_Interface
   use Type
@@ -3628,10 +1915,10 @@ module CreuSat_Logic_LogicClause_EquisatExtensionInner
   use seq.Seq
   use mach.int.Int
   clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss_Interface as EventuallySatCompleteNoAss0
-  predicate equisat_extension_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 34 0 34 72] (c : Type.creusat_clause_clause) (f : (Seq.seq (Type.creusat_clause_clause), int))
+  predicate equisat_extension_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 34 0 34 72] (c : Type.creusat_clause_clause) (f : (Seq.seq (Type.creusat_clause_clause), int))
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 35 4 37 5] EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass f -> EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass (Seq.snoc (let (a, _) = f in a) c, let (_, a) = f in a)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 35 4 37 5] EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass f -> EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass (Seq.snoc (let (a, _) = f in a) c, let (_, a) = f in a)
 end
 module CreuSat_Logic_LogicClause_Impl2_EquisatExtension_Interface
   use Type
@@ -3641,10 +1928,10 @@ module CreuSat_Logic_LogicClause_Impl2_EquisatExtension
   use Type
   clone CreuSat_Logic_LogicClause_EquisatExtensionInner_Interface as EquisatExtensionInner0
   clone CreuSat_Logic_LogicFormula_Impl0_Model_Interface as Model0
-  predicate equisat_extension [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 87 4 87 54] (self : Type.creusat_clause_clause) (f : Type.creusat_formula_formula)
+  predicate equisat_extension [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 87 4 87 54] (self : Type.creusat_clause_clause) (f : Type.creusat_formula_formula)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 88 8 88 55] EquisatExtensionInner0.equisat_extension_inner self (Model0.model f)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 88 8 88 55] EquisatExtensionInner0.equisat_extension_inner self (Model0.model f)
 end
 module CreuSat_Logic_LogicClause_Impl2_UnsatInner_Interface
   use Type
@@ -3663,10 +1950,10 @@ module CreuSat_Logic_LogicClause_Impl2_UnsatInner
   use mach.int.Int32
   clone CreuSat_Logic_LogicLit_Impl1_UnsatInner_Interface as UnsatInner0
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
-  predicate unsat_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 145 4 145 59] (self : Type.creusat_clause_clause) (a : Seq.seq uint8)
+  predicate unsat_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 145 4 145 59] (self : Type.creusat_clause_clause) (a : Seq.seq uint8)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 146 8 149 9] forall i : (int) . 0 <= i && i < Seq.length (Model0.model self) -> UnsatInner0.unsat_inner (Seq.get (Model0.model self) i) a
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 146 8 149 9] forall i : (int) . 0 <= i /\ i < Seq.length (Model0.model self) -> UnsatInner0.unsat_inner (Seq.get (Model0.model self) i) a
 end
 module CreuSat_Logic_LogicClause_Impl2_Equisat_Interface
   use Type
@@ -3680,10 +1967,10 @@ module CreuSat_Logic_LogicClause_Impl2_Equisat
   use prelude.UInt8
   clone CreuSat_Logic_LogicClause_Impl2_UnsatInner_Interface as UnsatInner0
   clone CreuSat_Logic_LogicClause_Impl2_SatInner_Interface as SatInner0
-  predicate equisat [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 220 4 220 43] (self : Type.creusat_clause_clause) (o : Type.creusat_clause_clause)
+  predicate equisat [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 220 4 220 43] (self : Type.creusat_clause_clause) (o : Type.creusat_clause_clause)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 221 8 224 9] (forall a : (Seq.seq uint8) . SatInner0.sat_inner self a = SatInner0.sat_inner o a) && (forall a : (Seq.seq uint8) . UnsatInner0.unsat_inner self a = UnsatInner0.unsat_inner o a)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 221 8 224 9] (forall a : (Seq.seq uint8) . SatInner0.sat_inner self a = SatInner0.sat_inner o a) /\ (forall a : (Seq.seq uint8) . UnsatInner0.unsat_inner self a = UnsatInner0.unsat_inner o a)
 end
 module CreuSat_Logic_LogicClause_Impl2_Equisat2_Interface
   use Type
@@ -3700,10 +1987,10 @@ module CreuSat_Logic_LogicClause_Impl2_Equisat2
   clone CreuSat_Logic_LogicClause_Impl2_UnsatInner_Interface as UnsatInner0
   clone CreuSat_Logic_LogicClause_Impl2_SatInner_Interface as SatInner0
   clone CreuSat_Logic_LogicAssignments_CompleteInner_Interface as CompleteInner0
-  predicate equisat2 [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 229 4 229 56] (self : Type.creusat_clause_clause) (o : Type.creusat_clause_clause) (f : Type.creusat_formula_formula)
+  predicate equisat2 [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 229 4 229 56] (self : Type.creusat_clause_clause) (o : Type.creusat_clause_clause) (f : Type.creusat_formula_formula)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 230 8 233 9] (forall a : (Seq.seq uint8) . Seq.length a = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) && CompleteInner0.complete_inner a -> SatInner0.sat_inner self a = SatInner0.sat_inner o a) && (forall a : (Seq.seq uint8) . Seq.length a = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) && CompleteInner0.complete_inner a -> UnsatInner0.unsat_inner self a = UnsatInner0.unsat_inner o a)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 230 8 233 9] (forall a : (Seq.seq uint8) . Seq.length a = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) /\ CompleteInner0.complete_inner a -> SatInner0.sat_inner self a = SatInner0.sat_inner o a) /\ (forall a : (Seq.seq uint8) . Seq.length a = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) /\ CompleteInner0.complete_inner a -> UnsatInner0.unsat_inner self a = UnsatInner0.unsat_inner o a)
 end
 module CreuSat_Clause_Impl3_SwapLitsInClause_Interface
   use seq.Seq
@@ -3711,167 +1998,21 @@ module CreuSat_Clause_Impl3_SwapLitsInClause_Interface
   use mach.int.Int
   use prelude.Prelude
   use Type
+  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
   clone CreuSat_Logic_LogicClause_Impl2_EquisatExtension_Interface as EquisatExtension0
   clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant0
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
   clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type ModelTy0.modelTy = ModelTy0.modelTy
   val swap_lits_in_clause [@cfg:stackify] (self : borrowed (Type.creusat_clause_clause)) (_f : Type.creusat_formula_formula) (j : usize) (k : usize) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 169 4 169 35] Seq.length (Model0.model self) > UInt64.to_int j}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 170 4 170 35] Seq.length (Model0.model self) > UInt64.to_int k}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 171 4 171 52] Invariant0.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 172 4 172 51] EquisatExtension0.equisat_extension ( * self) _f}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 171 4 171 52] Invariant0.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 172 4 172 51] EquisatExtension0.equisat_extension ( ^ self) _f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 173 4 173 49] Seq.length (Model0.model self) = Seq.length (Model1.model ( ^ self)) }
-    
-end
-module CreuSat_Clause_Impl3_SwapLitsInClause
-  use seq.Seq
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use Type
-  use seq.Permut
-  use mach.int.Int32
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant1 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant1.invariant'
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model3 with function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy1
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model2 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model3.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model4.model
-  clone CreuSat_Logic_LogicClause_Impl2_UnsatInner as UnsatInner0 with function Model0.model = Model1.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner0 with function Model0.model = Model1.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicClause_Impl2_EquisatExtension as EquisatExtension0 with function Model0.model = Model3.model,
-  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Equisat2 as Equisat20 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner, predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Equisat as Equisat0 with predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant0 with function Model0.model = Model1.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model0 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = seq (Type.creusat_lit_lit)
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy2 with type t = Type.creusat_lit_lit
-  clone CreusotContracts_Std1_Slice_Impl0_Model as Model6 with type t = Type.creusat_lit_lit, axiom .
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model7 with type t = seq (Type.creusat_lit_lit),
-  type ModelTy0.modelTy = ModelTy2.modelTy, function Model0.model = Model6.model
-  clone Core_Slice_Impl0_Swap_Interface as Swap0 with type t = Type.creusat_lit_lit,
-  function Model0.model = Model7.model, function Model1.model = Model6.model
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_clause_clause
-  clone Alloc_Vec_Impl11_DerefMut_Interface as DerefMut0 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, function Model0.model = Model6.model, function Model1.model = Model4.model
-  let rec cfg swap_lits_in_clause [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 174 4 174 75] (self : borrowed (Type.creusat_clause_clause)) (_f : Type.creusat_formula_formula) (j : usize) (k : usize) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 169 4 169 35] Seq.length (Model0.model self) > UInt64.to_int j}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 170 4 170 35] Seq.length (Model0.model self) > UInt64.to_int k}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 171 4 171 52] Invariant0.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 172 4 172 51] EquisatExtension0.equisat_extension ( * self) _f}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 171 4 171 52] Invariant0.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 172 4 172 51] EquisatExtension0.equisat_extension ( ^ self) _f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 173 4 173 49] Seq.length (Model0.model self) = Seq.length (Model1.model ( ^ self)) }
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 169 4 169 35] Seq.length (Model0.model self) > UInt64.to_int j}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 170 4 170 35] Seq.length (Model0.model self) > UInt64.to_int k}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 171 4 171 52] Invariant0.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 172 4 172 51] EquisatExtension0.equisat_extension ( * self) _f}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 171 4 171 52] Invariant0.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 172 4 172 51] EquisatExtension0.equisat_extension ( ^ self) _f }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 173 4 173 49] Seq.length (Model0.model self) = Seq.length (Model1.model ( ^ self)) }
     
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_clause_clause);
-  var _f_2 : Type.creusat_formula_formula;
-  var j_3 : usize;
-  var k_4 : usize;
-  ghost var old_c_5 : borrowed (Type.creusat_clause_clause);
-  var _6 : ();
-  var _7 : ();
-  var _8 : borrowed (seq (Type.creusat_lit_lit));
-  var _9 : borrowed (seq (Type.creusat_lit_lit));
-  var _10 : borrowed (Type.alloc_vec_vec (Type.creusat_lit_lit) (Type.alloc_alloc_global));
-  var _11 : usize;
-  var _12 : usize;
-  var _13 : ();
-  var _14 : ();
-  var _15 : ();
-  var _16 : ();
-  var _17 : ();
-  var _18 : ();
-  var _19 : ();
-  var _20 : ();
-  var _21 : ();
-  var _22 : ();
-  {
-    self_1 <- self;
-    _f_2 <- _f;
-    j_3 <- j;
-    k_4 <- k;
-    goto BB0
-  }
-  BB0 {
-    _6 <- ();
-    old_c_5 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 175 20 175 35] self_1);
-    goto BB1
-  }
-  BB1 {
-    _10 <- borrow_mut (Type.creusat_clause_clause_Clause_lits ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Clause_Clause a b c d =  * self_1 in Type.CreuSat_Clause_Clause a b c ( ^ _10)) };
-    assume { Resolve0.resolve self_1 };
-    _9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 176 8 176 28] DerefMut0.deref_mut _10);
-    goto BB2
-  }
-  BB2 {
-    _8 <- borrow_mut ( * _9);
-    _9 <- { _9 with current = ( ^ _8) };
-    _11 <- j_3;
-    _12 <- k_4;
-    _7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 176 8 176 28] Swap0.swap _8 _11 _12);
-    goto BB3
-  }
-  BB3 {
-    assume { Resolve1.resolve _9 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 177 8 177 46]  ^ old_c_5 =  ^ self_1 };
-    _13 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 178 8 178 51] EquisatExtension0.equisat_extension ( * old_c_5) _f_2 };
-    _14 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 179 8 179 51] Invariant0.invariant' ( * self_1) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f_2)) };
-    _15 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 180 8 180 55] Permut.exchange (Model0.model self_1) (Model0.model old_c_5) (UInt64.to_int j_3) (UInt64.to_int k_4) };
-    _16 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 181 8 181 63] Permut.permut (Model0.model old_c_5) (Model0.model self_1) 0 (Seq.length (Model0.model self_1)) };
-    _17 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 182 8 182 51] Equisat0.equisat ( * self_1) ( * old_c_5) };
-    _18 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 183 8 183 57] Equisat20.equisat2 ( * self_1) ( * old_c_5) _f_2 };
-    _19 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 184 8 184 46]  ^ old_c_5 =  ^ self_1 };
-    _20 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 186 8 187 96] EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass (Seq.snoc (let (a, _) = Model2.model _f_2 in a) ( * self_1), let (_, a) = Model2.model _f_2 in a) = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass (Seq.snoc (let (a, _) = Model2.model _f_2 in a) ( * old_c_5), let (_, a) = Model2.model _f_2 in a) };
-    _21 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 188 8 188 50] EquisatExtension0.equisat_extension ( * self_1) _f_2 };
-    _22 <- ();
-    _0 <- ();
-    return _0
-  }
-  
 end
 module CreuSat_Clause_Impl3_CalcLbd_Interface
   use seq.Seq
@@ -3883,323 +2024,66 @@ module CreuSat_Clause_Impl3_CalcLbd_Interface
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = usize, type a = Type.alloc_alloc_global,
   axiom .
   val calc_lbd [@cfg:stackify] (self : Type.creusat_clause_clause) (_f : Type.creusat_formula_formula) (s : borrowed (Type.creusat_solver_solver)) (t : Type.creusat_trail_trail) : usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 192 4 192 58] Seq.length (Model0.model (Type.creusat_trail_trail_Trail_lit_to_level t)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 193 4 193 45] Invariant0.invariant' self (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 192 4 192 58] Seq.length (Model0.model (Type.creusat_trail_trail_Trail_lit_to_level t)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/clause.rs" 193 4 193 45] Invariant0.invariant' self (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
+    
+end
+module CreuSat_Logic_LogicLit_IdxInLogic_Interface
+  use mach.int.Int
+  use seq.Seq
+  use Type
+  predicate idx_in_logic [@inline:trivial] (idx : int) (c : Seq.seq (Type.creusat_lit_lit))
+end
+module CreuSat_Logic_LogicLit_IdxInLogic
+  use mach.int.Int
+  use seq.Seq
+  use Type
+  use mach.int.Int32
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  predicate idx_in_logic [@inline:trivial] [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 10 0 10 50] (idx : int) (c : Seq.seq (Type.creusat_lit_lit))
     
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 11 4 14 5] exists i : (int) . 0 <= i /\ i < Seq.length c /\ IndexLogic0.index_logic (Seq.get c i) = idx
 end
-module CreuSat_Clause_Impl3_CalcLbd
+module CreuSat_ConflictAnalysis_IdxIn_Interface
   use seq.Seq
   use mach.int.UInt64
+  use mach.int.Int
+  use mach.int.Int32
   use prelude.Prelude
+  use Type
+  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy1 with type t = bool, type a = Type.alloc_alloc_global
+  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy0 with type t = Type.creusat_lit_lit,
+  type a = Type.alloc_alloc_global
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreuSat_Logic_LogicLit_IdxInLogic_Interface as IdxInLogic0
+  clone CreuSat_Logic_LogicClause_VarsInRangeInner_Interface as VarsInRangeInner0
+  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model1 with type t = Type.alloc_vec_vec bool (Type.alloc_alloc_global),
+  type ModelTy0.modelTy = ModelTy1.modelTy
+  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.alloc_vec_vec (Type.creusat_lit_lit) (Type.alloc_alloc_global),
+  type ModelTy0.modelTy = ModelTy0.modelTy
+  val idx_in [@cfg:stackify] (c : Type.alloc_vec_vec (Type.creusat_lit_lit) (Type.alloc_alloc_global)) (idx : usize) (seen : Type.alloc_vec_vec bool (Type.alloc_alloc_global)) : bool
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 23 0 23 51] VarsInRangeInner0.vars_in_range_inner (Model0.model c) (Seq.length (Model1.model seen))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 24 0 24 33] UInt64.to_int idx < Seq.length (Model1.model seen)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 25 0 25 52] Seq.get (Model1.model seen) (UInt64.to_int idx) = IdxInLogic0.idx_in_logic (UInt64.to_int idx) (Model0.model c)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 26 0 26 96] result = (exists i : (int) . 0 <= i /\ i < Seq.length (Model0.model c) /\ IndexLogic0.index_logic (Seq.get (Model0.model c) i) = UInt64.to_int idx) }
+    
+end
+module CreuSat_Logic_LogicLit_Impl1_LitIdxIn_Interface
+  use Type
+  predicate lit_idx_in (self : Type.creusat_lit_lit) (c : Type.creusat_clause_clause)
+end
+module CreuSat_Logic_LogicLit_Impl1_LitIdxIn
   use Type
   use mach.int.Int
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant1 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant1.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant0 with function Model0.model = Model1.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_solver_solver
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = usize
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = usize
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
-  clone CreuSat_Lit_Impl1_Index_Interface as Index1 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model3 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Clause_Impl0_Index_Interface as Index0 with function Model0.model = Model3.model
-  clone CreuSat_Clause_Impl3_Len_Interface as Len0 with function Model0.model = Model3.model
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = usize, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model0.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  clone Alloc_Vec_Impl1_Len_Interface as Len1 with type t = usize, type a = Type.alloc_alloc_global,
-  function Model0.model = Model0.model
-  clone Alloc_Vec_Impl16_Index_Interface as Index2 with type t = usize, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model0.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  let rec cfg calc_lbd [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 194 4 194 76] (self : Type.creusat_clause_clause) (_f : Type.creusat_formula_formula) (s : borrowed (Type.creusat_solver_solver)) (t : Type.creusat_trail_trail) : usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 192 4 192 58] Seq.length (Model0.model (Type.creusat_trail_trail_Trail_lit_to_level t)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 193 4 193 45] Invariant0.invariant' self (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
+  use mach.int.Int32
+  use seq.Seq
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
+  predicate lit_idx_in [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 68 4 68 46] (self : Type.creusat_lit_lit) (c : Type.creusat_clause_clause)
     
    =
-  var _0 : usize;
-  var self_1 : Type.creusat_clause_clause;
-  var _f_2 : Type.creusat_formula_formula;
-  var s_3 : borrowed (Type.creusat_solver_solver);
-  var t_4 : Type.creusat_trail_trail;
-  var i_5 : usize;
-  var lbd_6 : usize;
-  var _7 : ();
-  var _8 : ();
-  var _9 : bool;
-  var _10 : usize;
-  var _11 : usize;
-  var _12 : Type.creusat_clause_clause;
-  var level_13 : usize;
-  var _14 : usize;
-  var _15 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _16 : usize;
-  var _17 : Type.creusat_lit_lit;
-  var _18 : Type.creusat_lit_lit;
-  var _19 : Type.creusat_clause_clause;
-  var _20 : usize;
-  var _21 : ();
-  var _22 : bool;
-  var _23 : bool;
-  var _24 : usize;
-  var _25 : usize;
-  var _26 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _27 : bool;
-  var _28 : usize;
-  var _29 : usize;
-  var _30 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _31 : usize;
-  var _32 : usize;
-  var _33 : usize;
-  var _34 : borrowed usize;
-  var _35 : borrowed (Type.alloc_vec_vec usize (Type.alloc_alloc_global));
-  var _36 : usize;
-  var _37 : ();
-  var _38 : ();
-  var _39 : ();
-  {
-    self_1 <- self;
-    _f_2 <- _f;
-    s_3 <- s;
-    t_4 <- t;
-    goto BB0
-  }
-  BB0 {
-    i_5 <- (0 : usize);
-    lbd_6 <- (0 : usize);
-    goto BB1
-  }
-  BB1 {
-    invariant lbd_bound { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 197 8 197 43] UInt64.to_int lbd_6 <= UInt64.to_int i_5 };
-    _10 <- i_5;
-    _12 <- self_1;
-    _11 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 198 18 198 28] Len0.len _12);
-    goto BB2
-  }
-  BB2 {
-    _9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 198 14 198 28] _10 < _11);
-    switch (_9)
-      | False -> goto BB16
-      | _ -> goto BB3
-      end
-  }
-  BB3 {
-    _15 <- Type.creusat_trail_trail_Trail_lit_to_level t_4;
-    _19 <- self_1;
-    _20 <- i_5;
-    _18 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 199 39 199 46] Index0.index _19 _20);
-    goto BB4
-  }
-  BB4 {
-    _17 <- _18;
-    _16 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 199 39 199 54] Index1.index _17);
-    goto BB5
-  }
-  BB5 {
-    _14 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 199 24 199 55] Index2.index _15 _16);
-    goto BB6
-  }
-  BB6 {
-    level_13 <- _14;
-    _24 <- level_13;
-    _26 <- Type.creusat_solver_solver_Solver_perm_diff ( * s_3);
-    _25 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 200 23 200 40] Len1.len _26);
-    goto BB10
-  }
-  BB7 {
-    _22 <- false;
-    goto BB9
-  }
-  BB8 {
-    _30 <- Type.creusat_solver_solver_Solver_perm_diff ( * s_3);
-    _31 <- level_13;
-    _29 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 201 16 201 34] Index2.index _30 _31);
-    goto BB11
-  }
-  BB9 {
-    switch (_22)
-      | False -> goto BB14
-      | _ -> goto BB12
-      end
-  }
-  BB10 {
-    _23 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 200 15 200 40] _24 < _25);
-    switch (_23)
-      | False -> goto BB7
-      | _ -> goto BB8
-      end
-  }
-  BB11 {
-    _28 <- _29;
-    _32 <- Type.creusat_solver_solver_Solver_num_conflicts ( * s_3);
-    _27 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 201 16 201 53] _28 <> _32);
-    _22 <- _27;
-    goto BB9
-  }
-  BB12 {
-    _33 <- Type.creusat_solver_solver_Solver_num_conflicts ( * s_3);
-    _35 <- borrow_mut (Type.creusat_solver_solver_Solver_perm_diff ( * s_3));
-    s_3 <- { s_3 with current = (let Type.CreuSat_Solver_Solver a b c d e f g h =  * s_3 in Type.CreuSat_Solver_Solver a b c d e f g ( ^ _35)) };
-    _36 <- level_13;
-    _34 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 203 16 203 34] IndexMut0.index_mut _35 _36);
-    goto BB13
-  }
-  BB13 {
-    _34 <- { _34 with current = _33 };
-    assume { Resolve0.resolve _34 };
-    lbd_6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 204 16 204 24] lbd_6 + (1 : usize));
-    _21 <- ();
-    goto BB15
-  }
-  BB14 {
-    _21 <- ();
-    goto BB15
-  }
-  BB15 {
-    i_5 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/clause.rs" 206 12 206 18] i_5 + (1 : usize));
-    _8 <- ();
-    goto BB1
-  }
-  BB16 {
-    assume { Resolve1.resolve s_3 };
-    _7 <- ();
-    _0 <- lbd_6;
-    return _0
-  }
-  
-end
-module CreuSat_Logic_LogicLit_IdxInLogic_Interface
-  use mach.int.Int
-  use seq.Seq
-  use Type
-  predicate idx_in_logic [@inline:trivial] (idx : int) (c : Seq.seq (Type.creusat_lit_lit))
-end
-module CreuSat_Logic_LogicLit_IdxInLogic
-  use mach.int.Int
-  use seq.Seq
-  use Type
-  use mach.int.Int32
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  predicate idx_in_logic [@inline:trivial] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 10 0 10 50] (idx : int) (c : Seq.seq (Type.creusat_lit_lit))
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 11 4 14 5] exists i : (int) . 0 <= i && i < Seq.length c && IndexLogic0.index_logic (Seq.get c i) = idx
-end
-module CreuSat_ConflictAnalysis_IdxIn_Interface
-  use seq.Seq
-  use mach.int.UInt64
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  use Type
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreuSat_Logic_LogicLit_IdxInLogic_Interface as IdxInLogic0
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner_Interface as VarsInRangeInner0
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy1 with type t = bool, type a = Type.alloc_alloc_global
-  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model1 with type t = Type.alloc_vec_vec bool (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy1.modelTy
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy0 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global
-  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.alloc_vec_vec (Type.creusat_lit_lit) (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  val idx_in [@cfg:stackify] (c : Type.alloc_vec_vec (Type.creusat_lit_lit) (Type.alloc_alloc_global)) (idx : usize) (seen : Type.alloc_vec_vec bool (Type.alloc_alloc_global)) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 23 0 23 51] VarsInRangeInner0.vars_in_range_inner (Model0.model c) (Seq.length (Model1.model seen))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 24 0 24 33] UInt64.to_int idx < Seq.length (Model1.model seen)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 25 0 25 52] Seq.get (Model1.model seen) (UInt64.to_int idx) = IdxInLogic0.idx_in_logic (UInt64.to_int idx) (Model0.model c)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 26 0 26 96] result = (exists i : (int) . 0 <= i && i < Seq.length (Model0.model c) && IndexLogic0.index_logic (Seq.get (Model0.model c) i) = UInt64.to_int idx) }
-    
-end
-module CreuSat_ConflictAnalysis_IdxIn
-  use seq.Seq
-  use mach.int.UInt64
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  use Type
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant0.invariant'
-  clone CreuSat_Logic_LogicLit_IdxInLogic as IdxInLogic0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = bool, type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy1 with type t = bool, type a = Type.alloc_alloc_global
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model1 with type t = Type.alloc_vec_vec bool (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model3.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy0 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.alloc_vec_vec (Type.creusat_lit_lit) (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model2.model
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy2 with type t = bool
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = bool
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = bool
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = bool
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = bool, type i = usize, type a = Type.alloc_alloc_global,
-  function Model0.model = Model3.model, predicate InBounds0.in_bounds = InBounds0.in_bounds,
-  predicate HasValue0.has_value = HasValue0.has_value, type Output0.output = Output0.output
-  let rec cfg idx_in [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 27 0 27 61] (c : Type.alloc_vec_vec (Type.creusat_lit_lit) (Type.alloc_alloc_global)) (idx : usize) (seen : Type.alloc_vec_vec bool (Type.alloc_alloc_global)) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 23 0 23 51] VarsInRangeInner0.vars_in_range_inner (Model0.model c) (Seq.length (Model1.model seen))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 24 0 24 33] UInt64.to_int idx < Seq.length (Model1.model seen)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 25 0 25 52] Seq.get (Model1.model seen) (UInt64.to_int idx) = IdxInLogic0.idx_in_logic (UInt64.to_int idx) (Model0.model c)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 26 0 26 96] result = (exists i : (int) . 0 <= i && i < Seq.length (Model0.model c) && IndexLogic0.index_logic (Seq.get (Model0.model c) i) = UInt64.to_int idx) }
-    
-   =
-  var _0 : bool;
-  var c_1 : Type.alloc_vec_vec (Type.creusat_lit_lit) (Type.alloc_alloc_global);
-  var idx_2 : usize;
-  var seen_3 : Type.alloc_vec_vec bool (Type.alloc_alloc_global);
-  var _4 : bool;
-  var _5 : Type.alloc_vec_vec bool (Type.alloc_alloc_global);
-  var _6 : usize;
-  {
-    c_1 <- c;
-    idx_2 <- idx;
-    seen_3 <- seen;
-    goto BB0
-  }
-  BB0 {
-    _5 <- seen_3;
-    _6 <- idx_2;
-    _4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 28 4 28 13] Index0.index _5 _6);
-    goto BB1
-  }
-  BB1 {
-    _0 <- _4;
-    return _0
-  }
-  
-end
-module CreuSat_Logic_LogicLit_Impl1_LitIdxIn_Interface
-  use Type
-  predicate lit_idx_in (self : Type.creusat_lit_lit) (c : Type.creusat_clause_clause)
-end
-module CreuSat_Logic_LogicLit_Impl1_LitIdxIn
-  use Type
-  use mach.int.Int
-  use mach.int.Int32
-  use seq.Seq
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
-  predicate lit_idx_in [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 68 4 68 46] (self : Type.creusat_lit_lit) (c : Type.creusat_clause_clause)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 69 8 72 9] exists i : (int) . 0 <= i && i < Seq.length (Model0.model c) && IndexLogic0.index_logic (Seq.get (Model0.model c) i) = IndexLogic0.index_logic self
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 69 8 72 9] exists i : (int) . 0 <= i /\ i < Seq.length (Model0.model c) /\ IndexLogic0.index_logic (Seq.get (Model0.model c) i) = IndexLogic0.index_logic self
 end
 module CreuSat_Logic_LogicTrail_LitIsUniqueInner_Interface
   use seq.Seq
@@ -4212,10 +2096,10 @@ module CreuSat_Logic_LogicTrail_LitIsUniqueInner
   use mach.int.Int
   use mach.int.Int32
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  predicate lit_is_unique_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 210 0 210 48] (trail : Seq.seq (Type.creusat_trail_step))
+  predicate lit_is_unique_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 210 0 210 48] (trail : Seq.seq (Type.creusat_trail_step))
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 211 4 215 5] forall i : (int) . 0 <= i && i < Seq.length trail -> (forall j : (int) . 0 <= j && j < i -> IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit (Seq.get trail j)) <> IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit (Seq.get trail i)))
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 211 4 215 5] forall i : (int) . 0 <= i /\ i < Seq.length trail -> (forall j : (int) . 0 <= j /\ j < i -> IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit (Seq.get trail j)) <> IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit (Seq.get trail i)))
 end
 module CreuSat_Logic_LogicUtil_SortedRange_Interface
   use seq.Seq
@@ -4229,10 +2113,10 @@ module CreuSat_Logic_LogicUtil_SortedRange
   use mach.int.Int
   use prelude.Prelude
   use mach.int.UInt64
-  predicate sorted_range [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 20 0 20 58] (s : Seq.seq usize) (l : int) (u : int)
+  predicate sorted_range [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 20 0 20 58] (s : Seq.seq usize) (l : int) (u : int)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 21 4 23 5] forall j : (int) . forall i : (int) . l <= i && i < j && j < u -> Seq.get s i <= Seq.get s j
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 21 4 23 5] forall j : (int) . forall i : (int) . l <= i /\ i < j /\ j < u -> Seq.get s i <= Seq.get s j
 end
 module CreuSat_Logic_LogicUtil_Sorted_Interface
   use seq.Seq
@@ -4248,8 +2132,8 @@ module CreuSat_Logic_LogicUtil_Sorted
   use mach.int.UInt64
   use mach.int.Int32
   clone CreuSat_Logic_LogicUtil_SortedRange_Interface as SortedRange0
-  predicate sorted [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 27 0 27 36] (s : Seq.seq usize) =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 28 4 30 5] SortedRange0.sorted_range s 0 (Seq.length s)
+  predicate sorted [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 27 0 27 36] (s : Seq.seq usize) =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 28 4 30 5] SortedRange0.sorted_range s 0 (Seq.length s)
 end
 module CreuSat_Logic_LogicTrail_UnitAreSat_Interface
   use seq.Seq
@@ -4267,11 +2151,11 @@ module CreuSat_Logic_LogicTrail_UnitAreSat
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  predicate unit_are_sat [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 241 0 241 69] (trail : Seq.seq (Type.creusat_trail_step)) (f : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
+  predicate unit_are_sat [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 241 0 241 69] (trail : Seq.seq (Type.creusat_trail_step)) (f : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 242 4 250 5] forall j : (int) . 0 <= j && j < Seq.length trail -> match (Type.creusat_trail_step_Step_reason (Seq.get trail j)) with
-      | Type.CreuSat_Trail_Reason_Unit k -> Type.creusat_trail_step_Step_lit (Seq.get trail j) = Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int k))) 0 && Sat0.sat (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int k))) 0) a
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 242 4 250 5] forall j : (int) . 0 <= j /\ j < Seq.length trail -> match (Type.creusat_trail_step_Step_reason (Seq.get trail j)) with
+      | Type.CreuSat_Trail_Reason_Unit k -> Type.creusat_trail_step_Step_lit (Seq.get trail j) = Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int k))) 0 /\ Sat0.sat (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int k))) 0) a
       | _ -> true
       end
 end
@@ -4301,13 +2185,13 @@ module CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.creusat_trail_step,
   type a = Type.alloc_alloc_global, axiom .
   clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
-  predicate invariant_no_decision_mirror [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 67 4 67 61] (self : Type.creusat_trail_trail) (f : Type.creusat_formula_formula)
+  predicate invariant_no_decision_mirror [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 67 4 67 61] (self : Type.creusat_trail_trail) (f : Type.creusat_formula_formula)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 68 8 83 9] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) = Seq.length (Model0.model (Type.creusat_trail_trail_Trail_assignments self)) && (forall i : (int) . 0 <= i && i < Seq.length (Model0.model (Type.creusat_trail_trail_Trail_assignments self)) -> UInt8.to_int (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments self)) i) <= 3) && (forall i : (int) . 0 <= i && i < Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail self)) -> Invariant0.invariant' (Seq.get (Model1.model (Type.creusat_trail_trail_Trail_trail self)) i) f) && Seq.length (Model2.model (Type.creusat_trail_trail_Trail_lit_to_level self)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) && (forall i : (int) . 0 <= i && i < Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail self)) -> (forall j : (int) . 0 <= j && j < i -> match (Type.creusat_trail_step_Step_reason (Seq.get (Model1.model (Type.creusat_trail_trail_Trail_trail self)) j)) with
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 68 8 83 9] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) = Seq.length (Model0.model (Type.creusat_trail_trail_Trail_assignments self)) /\ (forall i : (int) . 0 <= i /\ i < Seq.length (Model0.model (Type.creusat_trail_trail_Trail_assignments self)) -> UInt8.to_int (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments self)) i) <= 3) /\ (forall i : (int) . 0 <= i /\ i < Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail self)) -> Invariant0.invariant' (Seq.get (Model1.model (Type.creusat_trail_trail_Trail_trail self)) i) f) /\ Seq.length (Model2.model (Type.creusat_trail_trail_Trail_lit_to_level self)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) /\ (forall i : (int) . 0 <= i /\ i < Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail self)) -> (forall j : (int) . 0 <= j /\ j < i -> match (Type.creusat_trail_step_Step_reason (Seq.get (Model1.model (Type.creusat_trail_trail_Trail_trail self)) j)) with
       | Type.CreuSat_Trail_Reason_Long cref -> not LitIdxIn0.lit_idx_in (Type.creusat_trail_step_Step_lit (Seq.get (Model1.model (Type.creusat_trail_trail_Trail_trail self)) i)) (Seq.get (Model3.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))
       | _ -> true
-      end)) && LitIsUniqueInner0.lit_is_unique_inner (Model1.model (Type.creusat_trail_trail_Trail_trail self)) && LongArePostUnitInner0.long_are_post_unit_inner (Model1.model (Type.creusat_trail_trail_Trail_trail self)) f (Model0.model (Type.creusat_trail_trail_Trail_assignments self)) && (forall j : (int) . 0 <= j && j < Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail self)) -> Sat0.sat (Type.creusat_trail_step_Step_lit (Seq.get (Model1.model (Type.creusat_trail_trail_Trail_trail self)) j)) (Type.creusat_trail_trail_Trail_assignments self)) && Sorted0.sorted (Model2.model (Type.creusat_trail_trail_Trail_decisions self)) && UnitAreSat0.unit_are_sat (Model1.model (Type.creusat_trail_trail_Trail_trail self)) f (Type.creusat_trail_trail_Trail_assignments self)
+      end)) /\ LitIsUniqueInner0.lit_is_unique_inner (Model1.model (Type.creusat_trail_trail_Trail_trail self)) /\ LongArePostUnitInner0.long_are_post_unit_inner (Model1.model (Type.creusat_trail_trail_Trail_trail self)) f (Model0.model (Type.creusat_trail_trail_Trail_assignments self)) /\ (forall j : (int) . 0 <= j /\ j < Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail self)) -> Sat0.sat (Type.creusat_trail_step_Step_lit (Seq.get (Model1.model (Type.creusat_trail_trail_Trail_trail self)) j)) (Type.creusat_trail_trail_Trail_assignments self)) /\ Sorted0.sorted (Model2.model (Type.creusat_trail_trail_Trail_decisions self)) /\ UnitAreSat0.unit_are_sat (Model1.model (Type.creusat_trail_trail_Trail_trail self)) f (Type.creusat_trail_trail_Trail_assignments self)
 end
 module CreuSat_Logic_LogicTrail_LitToLevelInvariant_Interface
   use seq.Seq
@@ -4323,10 +2207,10 @@ module CreuSat_Logic_LogicTrail_LitToLevelInvariant
   use prelude.Prelude
   use mach.int.UInt64
   use Type
-  predicate lit_to_level_invariant [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 163 0 163 71] (lit_to_level : Seq.seq usize) (f : Type.creusat_formula_formula)
+  predicate lit_to_level_invariant [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 163 0 163 71] (lit_to_level : Seq.seq usize) (f : Type.creusat_formula_formula)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 164 4 166 5] Seq.length lit_to_level = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 164 4 166 5] Seq.length lit_to_level = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)
 end
 module CreuSat_Logic_LogicTrail_LitNotInLessInner_Interface
   use seq.Seq
@@ -4342,10 +2226,10 @@ module CreuSat_Logic_LogicTrail_LitNotInLessInner
   clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn_Interface as LitIdxIn0
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  predicate lit_not_in_less_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 144 0 144 62] (t : Seq.seq (Type.creusat_trail_step)) (f : Type.creusat_formula_formula)
+  predicate lit_not_in_less_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 144 0 144 62] (t : Seq.seq (Type.creusat_trail_step)) (f : Type.creusat_formula_formula)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 145 4 152 5] forall i : (int) . 0 <= i && i < Seq.length t -> (forall j : (int) . 0 <= j && j < i -> match (Type.creusat_trail_step_Step_reason (Seq.get t j)) with
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 145 4 152 5] forall i : (int) . 0 <= i /\ i < Seq.length t -> (forall j : (int) . 0 <= j /\ j < i -> match (Type.creusat_trail_step_Step_reason (Seq.get t j)) with
       | Type.CreuSat_Trail_Reason_Long cref -> not LitIdxIn0.lit_idx_in (Type.creusat_trail_step_Step_lit (Seq.get t i)) (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))
       | _ -> true
       end)
@@ -4359,10 +2243,10 @@ module CreuSat_Logic_LogicTrail_Impl2_LitNotInLess
   clone CreuSat_Logic_LogicTrail_LitNotInLessInner_Interface as LitNotInLessInner0
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_trail_step,
   type a = Type.alloc_alloc_global, axiom .
-  predicate lit_not_in_less [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 127 4 127 52] (self : Type.creusat_trail_trail) (f : Type.creusat_formula_formula)
+  predicate lit_not_in_less [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 127 4 127 52] (self : Type.creusat_trail_trail) (f : Type.creusat_formula_formula)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 128 8 131 9] LitNotInLessInner0.lit_not_in_less_inner (Model0.model (Type.creusat_trail_trail_Trail_trail self)) f
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 128 8 131 9] LitNotInLessInner0.lit_not_in_less_inner (Model0.model (Type.creusat_trail_trail_Trail_trail self)) f
 end
 module CreuSat_Logic_LogicTrail_Impl2_LitIsUnique_Interface
   use Type
@@ -4373,10 +2257,10 @@ module CreuSat_Logic_LogicTrail_Impl2_LitIsUnique
   clone CreuSat_Logic_LogicTrail_LitIsUniqueInner_Interface as LitIsUniqueInner0
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_trail_step,
   type a = Type.alloc_alloc_global, axiom .
-  predicate lit_is_unique [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 136 4 136 38] (self : Type.creusat_trail_trail)
+  predicate lit_is_unique [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 136 4 136 38] (self : Type.creusat_trail_trail)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 137 8 139 9] LitIsUniqueInner0.lit_is_unique_inner (Model0.model (Type.creusat_trail_trail_Trail_trail self))
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 137 8 139 9] LitIsUniqueInner0.lit_is_unique_inner (Model0.model (Type.creusat_trail_trail_Trail_trail self))
 end
 module CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner_Interface
   use seq.Seq
@@ -4394,10 +2278,10 @@ module CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner
   use prelude.UInt8
   use mach.int.Int32
   clone CreuSat_Logic_LogicLit_Impl1_SatInner_Interface as SatInner0
-  predicate trail_entries_are_assigned_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 179 0 179 80] (t : Seq.seq (Type.creusat_trail_step)) (a : Seq.seq uint8)
+  predicate trail_entries_are_assigned_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 179 0 179 80] (t : Seq.seq (Type.creusat_trail_step)) (a : Seq.seq uint8)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 180 4 183 5] forall j : (int) . 0 <= j && j < Seq.length t -> SatInner0.sat_inner (Type.creusat_trail_step_Step_lit (Seq.get t j)) a
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 180 4 183 5] forall j : (int) . 0 <= j /\ j < Seq.length t -> SatInner0.sat_inner (Type.creusat_trail_step_Step_lit (Seq.get t j)) a
 end
 module CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned_Interface
   use Type
@@ -4409,10 +2293,10 @@ module CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned
   clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model1
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_trail_step,
   type a = Type.alloc_alloc_global, axiom .
-  predicate trail_entries_are_assigned [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 113 4 113 51] (self : Type.creusat_trail_trail)
+  predicate trail_entries_are_assigned [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 113 4 113 51] (self : Type.creusat_trail_trail)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 114 8 116 9] TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner (Model0.model (Type.creusat_trail_trail_Trail_trail self)) (Model1.model (Type.creusat_trail_trail_Trail_assignments self))
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 114 8 116 9] TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner (Model0.model (Type.creusat_trail_trail_Trail_trail self)) (Model1.model (Type.creusat_trail_trail_Trail_assignments self))
 end
 module CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted_Interface
   use Type
@@ -4426,10 +2310,10 @@ module CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted
   clone CreuSat_Logic_LogicUtil_Sorted_Interface as Sorted0
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = usize, type a = Type.alloc_alloc_global,
   axiom .
-  predicate decisions_are_sorted [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 120 4 120 45] (self : Type.creusat_trail_trail)
+  predicate decisions_are_sorted [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 120 4 120 45] (self : Type.creusat_trail_trail)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 121 8 123 9] Sorted0.sorted (Model0.model (Type.creusat_trail_trail_Trail_decisions self))
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 121 8 123 9] Sorted0.sorted (Model0.model (Type.creusat_trail_trail_Trail_decisions self))
 end
 module CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision_Interface
   use Type
@@ -4456,83 +2340,11 @@ module CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_trail_step,
   type a = Type.alloc_alloc_global, axiom .
   clone CreuSat_Logic_LogicAssignments_Impl1_Invariant_Interface as Invariant0
-  predicate invariant_no_decision [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 88 4 88 58] (self : Type.creusat_trail_trail) (f : Type.creusat_formula_formula)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 89 8 101 9] Invariant0.invariant' (Type.creusat_trail_trail_Trail_assignments self) f && TrailInvariant0.trail_invariant (Model0.model (Type.creusat_trail_trail_Trail_trail self)) f && LitToLevelInvariant0.lit_to_level_invariant (Model1.model (Type.creusat_trail_trail_Trail_lit_to_level self)) f && LitNotInLess0.lit_not_in_less self f && LitIsUnique0.lit_is_unique self && LongArePostUnitInner0.long_are_post_unit_inner (Model0.model (Type.creusat_trail_trail_Trail_trail self)) f (Model2.model (Type.creusat_trail_trail_Trail_assignments self)) && TrailEntriesAreAssigned0.trail_entries_are_assigned self && DecisionsAreSorted0.decisions_are_sorted self && UnitAreSat0.unit_are_sat (Model0.model (Type.creusat_trail_trail_Trail_trail self)) f (Type.creusat_trail_trail_Trail_assignments self)
-  axiom invariant_no_decision_spec : forall self : Type.creusat_trail_trail, f : Type.creusat_formula_formula . [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 87 4 87 62] invariant_no_decision self f = InvariantNoDecisionMirror0.invariant_no_decision_mirror self f
-end
-module CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision_Impl
-  use Type
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  use mach.int.UInt64
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model5 with function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant2 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model2 with function Model0.model = Model4.model
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model2.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant0 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant3 with function Model0.model = Model3.model,
-  function Model1.model = Model5.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant1 with predicate Invariant0.invariant' = Invariant2.invariant',
-  predicate Invariant1.invariant' = Invariant3.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant1.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model3.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model3.model,
-  function Model1.model = Model5.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model3.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model1.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model0.model,
-  function Model1.model = Model2.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model0.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model0.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model2.model,
-  function Model1.model = Model0.model, predicate Invariant0.invariant' = Invariant1.invariant',
-  function Model2.model = Model1.model, function Model3.model = Model3.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  let rec ghost function invariant_no_decision (self : Type.creusat_trail_trail) (f : Type.creusat_formula_formula) : bool
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 87 4 87 62] result = InvariantNoDecisionMirror0.invariant_no_decision_mirror self f }
+  predicate invariant_no_decision [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 88 4 88 58] (self : Type.creusat_trail_trail) (f : Type.creusat_formula_formula)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 89 8 101 9] (let a' = Type.creusat_trail_trail_Trail_assignments self in Invariant0.invariant' a' f) && (let a' = let a' = Type.creusat_trail_trail_Trail_trail self in Model0.model a' in TrailInvariant0.trail_invariant a' f) && (let a' = let a' = Type.creusat_trail_trail_Trail_lit_to_level self in Model1.model a' in LitToLevelInvariant0.lit_to_level_invariant a' f) && LitNotInLess0.lit_not_in_less self f && LitIsUnique0.lit_is_unique self && (let a' = let a' = Type.creusat_trail_trail_Trail_trail self in Model0.model a' in let c' = let a' = Type.creusat_trail_trail_Trail_assignments self in Model2.model a' in LongArePostUnitInner0.long_are_post_unit_inner a' f c') && TrailEntriesAreAssigned0.trail_entries_are_assigned self && DecisionsAreSorted0.decisions_are_sorted self && (let a' = let a' = Type.creusat_trail_trail_Trail_trail self in Model0.model a' in let c' = Type.creusat_trail_trail_Trail_assignments self in UnitAreSat0.unit_are_sat a' f c')
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 89 8 101 9] Invariant0.invariant' (Type.creusat_trail_trail_Trail_assignments self) f /\ TrailInvariant0.trail_invariant (Model0.model (Type.creusat_trail_trail_Trail_trail self)) f /\ LitToLevelInvariant0.lit_to_level_invariant (Model1.model (Type.creusat_trail_trail_Trail_lit_to_level self)) f /\ LitNotInLess0.lit_not_in_less self f /\ LitIsUnique0.lit_is_unique self /\ LongArePostUnitInner0.long_are_post_unit_inner (Model0.model (Type.creusat_trail_trail_Trail_trail self)) f (Model2.model (Type.creusat_trail_trail_Trail_assignments self)) /\ TrailEntriesAreAssigned0.trail_entries_are_assigned self /\ DecisionsAreSorted0.decisions_are_sorted self /\ UnitAreSat0.unit_are_sat (Model0.model (Type.creusat_trail_trail_Trail_trail self)) f (Type.creusat_trail_trail_Trail_assignments self)
+  axiom invariant_no_decision_spec : forall self : Type.creusat_trail_trail, f : Type.creusat_formula_formula . [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 87 4 87 62] invariant_no_decision self f = InvariantNoDecisionMirror0.invariant_no_decision_mirror self f
 end
 module CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface
   use Type
@@ -4545,17 +2357,17 @@ module CreuSat_Logic_LogicTrail_Impl2_Invariant
   use seq.Seq
   use mach.int.UInt64
   use prelude.Prelude
+  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror_Interface as InvariantNoDecisionMirror0
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.creusat_trail_step,
   type a = Type.alloc_alloc_global, axiom .
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = usize, type a = Type.alloc_alloc_global,
   axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror_Interface as InvariantNoDecisionMirror0
   clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision_Interface as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
   axiom .
-  predicate invariant' [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 59 4 59 46] (self : Type.creusat_trail_trail) (f : Type.creusat_formula_formula)
+  predicate invariant' [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 59 4 59 46] (self : Type.creusat_trail_trail) (f : Type.creusat_formula_formula)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 60 8 63 9] InvariantNoDecision0.invariant_no_decision self f && (forall i : (int) . 0 <= i && i < Seq.length (Model0.model (Type.creusat_trail_trail_Trail_decisions self)) -> UInt64.to_int (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_decisions self)) i) <= Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail self)))
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 60 8 63 9] InvariantNoDecision0.invariant_no_decision self f /\ (forall i : (int) . 0 <= i /\ i < Seq.length (Model0.model (Type.creusat_trail_trail_Trail_decisions self)) -> UInt64.to_int (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_decisions self)) i) <= Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail self)))
 end
 module CreuSat_Logic_LogicClause_Impl2_InFormula_Interface
   use Type
@@ -4568,10 +2380,10 @@ module CreuSat_Logic_LogicClause_Impl2_InFormula
   use seq.Seq
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  predicate in_formula [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 114 4 114 47] (self : Type.creusat_clause_clause) (f : Type.creusat_formula_formula)
+  predicate in_formula [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 114 4 114 47] (self : Type.creusat_clause_clause) (f : Type.creusat_formula_formula)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 115 8 118 9] exists i : (int) . 0 <= i && i < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) && Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) i = self
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 115 8 118 9] exists i : (int) . 0 <= i /\ i < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) /\ Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) i = self
 end
 module CreuSat_Logic_LogicLit_Impl1_IsOpp_Interface
   use Type
@@ -4581,10 +2393,10 @@ module CreuSat_Logic_LogicLit_Impl1_IsOpp
   use Type
   clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic_Interface as IsPositiveLogic0
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  predicate is_opp [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 47 4 47 39] (self : Type.creusat_lit_lit) (o : Type.creusat_lit_lit)
+  predicate is_opp [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 47 4 47 39] (self : Type.creusat_lit_lit) (o : Type.creusat_lit_lit)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 48 8 50 9] IndexLogic0.index_logic self = IndexLogic0.index_logic o && IsPositiveLogic0.is_positive_logic self <> IsPositiveLogic0.is_positive_logic o
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 48 8 50 9] IndexLogic0.index_logic self = IndexLogic0.index_logic o /\ IsPositiveLogic0.is_positive_logic self <> IsPositiveLogic0.is_positive_logic o
 end
 module CreuSat_Logic_LogicClause_Impl2_SameIdxSamePolarityExcept_Interface
   use Type
@@ -4600,10 +2412,10 @@ module CreuSat_Logic_LogicClause_Impl2_SameIdxSamePolarityExcept
   clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic_Interface as IsPositiveLogic0
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
-  predicate same_idx_same_polarity_except [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 92 4 92 85] (self : Type.creusat_clause_clause) (other : Type.creusat_clause_clause) (exception' : int)
+  predicate same_idx_same_polarity_except [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 92 4 92 85] (self : Type.creusat_clause_clause) (other : Type.creusat_clause_clause) (exception' : int)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 93 8 98 9] forall j : (int) . forall i : (int) . 0 <= i && i < Seq.length (Model0.model self) && 0 <= j && j < Seq.length (Model0.model other) -> IndexLogic0.index_logic (Seq.get (Model0.model self) i) <> exception' && IndexLogic0.index_logic (Seq.get (Model0.model self) i) = IndexLogic0.index_logic (Seq.get (Model0.model other) j) -> IsPositiveLogic0.is_positive_logic (Seq.get (Model0.model self) i) = IsPositiveLogic0.is_positive_logic (Seq.get (Model0.model other) j)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 93 8 98 9] forall j : (int) . forall i : (int) . 0 <= i /\ i < Seq.length (Model0.model self) /\ 0 <= j /\ j < Seq.length (Model0.model other) -> IndexLogic0.index_logic (Seq.get (Model0.model self) i) <> exception' /\ IndexLogic0.index_logic (Seq.get (Model0.model self) i) = IndexLogic0.index_logic (Seq.get (Model0.model other) j) -> IsPositiveLogic0.is_positive_logic (Seq.get (Model0.model self) i) = IsPositiveLogic0.is_positive_logic (Seq.get (Model0.model other) j)
 end
 module CreuSat_Logic_LogicUtil_ElemsLessThan_Interface
   use seq.Seq
@@ -4618,10 +2430,10 @@ module CreuSat_Logic_LogicUtil_ElemsLessThan
   use prelude.Prelude
   use mach.int.UInt64
   use mach.int.Int32
-  predicate elems_less_than [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 58 0 58 53] (v : Seq.seq usize) (n : int)
+  predicate elems_less_than [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 58 0 58 53] (v : Seq.seq usize) (n : int)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 59 4 59 68] forall i : (int) . 0 <= i && i < Seq.length v -> UInt64.to_int (Seq.get v i) < n
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 59 4 59 68] forall i : (int) . 0 <= i /\ i < Seq.length v -> UInt64.to_int (Seq.get v i) < n
 end
 module CreuSat_Logic_LogicClause_Impl2_ClauseIsSeen_Interface
   use Type
@@ -4637,10 +2449,10 @@ module CreuSat_Logic_LogicClause_Impl2_ClauseIsSeen
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = bool, type a = Type.alloc_alloc_global,
   axiom .
-  predicate clause_is_seen [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 237 4 237 56] (self : Type.creusat_clause_clause) (seen : Type.alloc_vec_vec bool (Type.alloc_alloc_global))
+  predicate clause_is_seen [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 237 4 237 56] (self : Type.creusat_clause_clause) (seen : Type.alloc_vec_vec bool (Type.alloc_alloc_global))
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 238 8 241 9] forall idx : (int) . 0 <= idx && idx < Seq.length (Model0.model seen) -> Seq.get (Model0.model seen) idx = IdxInLogic0.idx_in_logic idx (Model1.model self)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 238 8 241 9] forall idx : (int) . 0 <= idx /\ idx < Seq.length (Model0.model seen) -> Seq.get (Model0.model seen) idx = IdxInLogic0.idx_in_logic idx (Model1.model self)
 end
 module CreuSat_Logic_LogicClause_Impl2_Unsat_Interface
   use Type
@@ -4650,10 +2462,10 @@ module CreuSat_Logic_LogicClause_Impl2_Unsat
   use Type
   clone CreuSat_Logic_LogicClause_Impl2_UnsatInner_Interface as UnsatInner0
   clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
-  predicate unsat [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 153 4 153 46] (self : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments)
+  predicate unsat [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 153 4 153 46] (self : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 154 8 154 42] UnsatInner0.unsat_inner self (Model0.model a)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 154 8 154 42] UnsatInner0.unsat_inner self (Model0.model a)
 end
 module CreusotContracts_Logic_Int_Impl18_ModelTy
   use mach.int.Int
@@ -4674,10 +2486,10 @@ module CreuSat_Logic_LogicClause_Impl2_ResolventOf
   clone CreuSat_Logic_LogicLit_Impl1_IsOpp_Interface as IsOpp0
   clone CreuSat_Logic_LogicLit_Impl1_LitIn_Interface as LitIn0
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
-  predicate resolvent_of [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 102 4 102 76] (self : Type.creusat_clause_clause) (c : Type.creusat_clause_clause) (c2 : Type.creusat_clause_clause) (k : int) (m : int)
+  predicate resolvent_of [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 102 4 102 76] (self : Type.creusat_clause_clause) (c : Type.creusat_clause_clause) (c2 : Type.creusat_clause_clause) (k : int) (m : int)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 103 8 110 9] (forall i : (int) . 0 <= i && i < Seq.length (Model0.model c) && i <> m -> LitIn0.lit_in (Seq.get (Model0.model c) i) self) && (forall i : (int) . 0 <= i && i < Seq.length (Model0.model c2) && i <> k -> LitIn0.lit_in (Seq.get (Model0.model c2) i) self) && (forall i : (int) . 0 <= i && i < Seq.length (Model0.model self) -> LitIn0.lit_in (Seq.get (Model0.model self) i) c || LitIn0.lit_in (Seq.get (Model0.model self) i) c2) && not LitIn0.lit_in (Seq.get (Model0.model c) m) self && not LitIn0.lit_in (Seq.get (Model0.model c2) k) self && IsOpp0.is_opp (Seq.get (Model0.model c2) k) (Seq.get (Model0.model c) m)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 103 8 110 9] (forall i : (int) . 0 <= i /\ i < Seq.length (Model0.model c) /\ i <> m -> LitIn0.lit_in (Seq.get (Model0.model c) i) self) /\ (forall i : (int) . 0 <= i /\ i < Seq.length (Model0.model c2) /\ i <> k -> LitIn0.lit_in (Seq.get (Model0.model c2) i) self) /\ (forall i : (int) . 0 <= i /\ i < Seq.length (Model0.model self) -> LitIn0.lit_in (Seq.get (Model0.model self) i) c \/ LitIn0.lit_in (Seq.get (Model0.model self) i) c2) /\ not LitIn0.lit_in (Seq.get (Model0.model c) m) self /\ not LitIn0.lit_in (Seq.get (Model0.model c2) k) self /\ IsOpp0.is_opp (Seq.get (Model0.model c2) k) (Seq.get (Model0.model c) m)
 end
 module CreuSat_Logic_LogicClause_Impl2_InFormulaInner_Interface
   use Type
@@ -4690,10 +2502,10 @@ module CreuSat_Logic_LogicClause_Impl2_InFormulaInner
   use seq.Seq
   use mach.int.Int
   use mach.int.Int32
-  predicate in_formula_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 122 4 122 64] (self : Type.creusat_clause_clause) (f : (Seq.seq (Type.creusat_clause_clause), int))
+  predicate in_formula_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 122 4 122 64] (self : Type.creusat_clause_clause) (f : (Seq.seq (Type.creusat_clause_clause), int))
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 123 8 125 9] exists i : (int) . 0 <= i && i < Seq.length (let (a, _) = f in a) && Seq.get (let (a, _) = f in a) i = self
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 123 8 125 9] exists i : (int) . 0 <= i /\ i < Seq.length (let (a, _) = f in a) /\ Seq.get (let (a, _) = f in a) i = self
 end
 module CreuSat_Logic_LogicClause_Impl2_Equals_Interface
   use Type
@@ -4705,10 +2517,10 @@ module CreuSat_Logic_LogicClause_Impl2_Equals
   use mach.int.Int
   use mach.int.Int32
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
-  predicate equals [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 210 4 210 42] (self : Type.creusat_clause_clause) (o : Type.creusat_clause_clause)
+  predicate equals [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 210 4 210 42] (self : Type.creusat_clause_clause) (o : Type.creusat_clause_clause)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 211 8 215 9] Seq.length (Model0.model self) = Seq.length (Model0.model o) && (forall j : (int) . 0 <= j && j < Seq.length (Model0.model self) -> Seq.get (Model0.model self) j = Seq.get (Model0.model o) j)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 211 8 215 9] Seq.length (Model0.model self) = Seq.length (Model0.model o) /\ (forall j : (int) . 0 <= j /\ j < Seq.length (Model0.model self) -> Seq.get (Model0.model self) j = Seq.get (Model0.model o) j)
 end
 module CreuSat_Logic_LogicConflictAnalysis_LemmaEqFormulas_Interface
   use seq.Seq
@@ -4729,40 +2541,11 @@ module CreuSat_Logic_LogicConflictAnalysis_LemmaEqFormulas
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
   clone CreuSat_Logic_LogicClause_Impl2_Equals_Interface as Equals0
   clone CreuSat_Logic_LogicFormula_FormulaInvariant_Interface as FormulaInvariant0
-  function lemma_eq_formulas [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 17 0 17 78] (f : (Seq.seq (Type.creusat_clause_clause), int)) (f2 : (Seq.seq (Type.creusat_clause_clause), int)) (c : Type.creusat_clause_clause) : ()
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 9 0 9 8] ()
-  axiom lemma_eq_formulas_spec : forall f : (Seq.seq (Type.creusat_clause_clause), int), f2 : (Seq.seq (Type.creusat_clause_clause), int), c : Type.creusat_clause_clause . ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 10 0 10 32] (let (a, _) = f2 in a) = Seq.snoc (let (a, _) = f in a) c) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 11 0 11 33] FormulaInvariant0.formula_invariant f) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 14 0 14 41] Model0.model (Seq.get (let (a, _) = f2 in a) (Seq.length (let (a, _) = f2 in a) - 1)) = Model0.model c) && ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 13 0 13 85] forall i : (int) . 0 <= i && i < Seq.length (let (a, _) = f in a) -> Equals0.equals (Seq.get (let (a, _) = f in a) i) (Seq.get (let (a, _) = f2 in a) i)) && ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 12 0 12 43] Seq.length (let (a, _) = f in a) + 1 = Seq.length (let (a, _) = f2 in a))
-end
-module CreuSat_Logic_LogicConflictAnalysis_LemmaEqFormulas_Impl
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use Type
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant1 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant1.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model0 with function Model0.model = Model1.model
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant0 with function Model0.model = Model0.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicClause_Impl2_Equals as Equals0 with function Model0.model = Model0.model
-  let rec ghost function lemma_eq_formulas (f : (Seq.seq (Type.creusat_clause_clause), int)) (f2 : (Seq.seq (Type.creusat_clause_clause), int)) (c : Type.creusat_clause_clause) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 10 0 10 32] (let (a, _) = f2 in a) = Seq.snoc (let (a, _) = f in a) c}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 11 0 11 33] FormulaInvariant0.formula_invariant f}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 12 0 12 43] Seq.length (let (a, _) = f in a) + 1 = Seq.length (let (a, _) = f2 in a) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 13 0 13 85] forall i : (int) . 0 <= i && i < Seq.length (let (a, _) = f in a) -> Equals0.equals (Seq.get (let (a, _) = f in a) i) (Seq.get (let (a, _) = f2 in a) i) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 14 0 14 41] Model0.model (Seq.get (let (a, _) = f2 in a) (Seq.length (let (a, _) = f2 in a) - 1)) = Model0.model c }
+  function lemma_eq_formulas [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_conflict_analysis.rs" 17 0 17 78] (f : (Seq.seq (Type.creusat_clause_clause), int)) (f2 : (Seq.seq (Type.creusat_clause_clause), int)) (c : Type.creusat_clause_clause) : ()
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 9 0 9 8] ()
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_conflict_analysis.rs" 9 0 9 8] ()
+  axiom lemma_eq_formulas_spec : forall f : (Seq.seq (Type.creusat_clause_clause), int), f2 : (Seq.seq (Type.creusat_clause_clause), int), c : Type.creusat_clause_clause . ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_conflict_analysis.rs" 10 0 10 32] (let (a, _) = f2 in a) = Seq.snoc (let (a, _) = f in a) c) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_conflict_analysis.rs" 11 0 11 33] FormulaInvariant0.formula_invariant f) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_conflict_analysis.rs" 14 0 14 41] Model0.model (Seq.get (let (a, _) = f2 in a) (Seq.length (let (a, _) = f2 in a) - 1)) = Model0.model c) && ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_conflict_analysis.rs" 13 0 13 85] forall i : (int) . 0 <= i /\ i < Seq.length (let (a, _) = f in a) -> Equals0.equals (Seq.get (let (a, _) = f in a) i) (Seq.get (let (a, _) = f2 in a) i)) && ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_conflict_analysis.rs" 12 0 12 43] Seq.length (let (a, _) = f in a) + 1 = Seq.length (let (a, _) = f2 in a))
 end
 module CreuSat_Logic_LogicConflictAnalysis_LemmaResolventOfEquisatExtensionIsEquisat_Interface
   use seq.Seq
@@ -4787,58 +2570,11 @@ module CreuSat_Logic_LogicConflictAnalysis_LemmaResolventOfEquisatExtensionIsEqu
   clone CreuSat_Logic_LogicClause_Impl2_Equals_Interface as Equals0
   clone CreuSat_Logic_LogicConflictAnalysis_LemmaEqFormulas_Interface as LemmaEqFormulas0 with predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant,
   predicate Equals0.equals = Equals0.equals, function Model0.model = Model0.model, axiom .
-  function lemma_resolvent_of_equisat_extension_is_equisat [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 26 0 28 1] (f : (Seq.seq (Type.creusat_clause_clause), int)) (c : Type.creusat_clause_clause) (c2 : Type.creusat_clause_clause) (c3 : Type.creusat_clause_clause) (k : int) (m : int) : ()
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 20 0 20 8] let _ = LemmaEqFormulas0.lemma_eq_formulas f (Seq.snoc (let (a, _) = f in a) c3, let (_, a) = f in a) c3 in ()
-  axiom lemma_resolvent_of_equisat_extension_is_equisat_spec : forall f : (Seq.seq (Type.creusat_clause_clause), int), c : Type.creusat_clause_clause, c2 : Type.creusat_clause_clause, c3 : Type.creusat_clause_clause, k : int, m : int . ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 21 0 21 33] FormulaInvariant0.formula_invariant f) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 22 0 22 42] EquisatExtensionInner0.equisat_extension_inner c f) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 23 0 23 35] InFormulaInner0.in_formula_inner c2 f) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 24 0 24 41] ResolventOf0.resolvent_of c3 c c2 k m) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 25 0 25 42] EquisatExtensionInner0.equisat_extension_inner c3 f)
-end
-module CreuSat_Logic_LogicConflictAnalysis_LemmaResolventOfEquisatExtensionIsEquisat_Impl
-  use seq.Seq
-  use Type
-  use mach.int.Int
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant1 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant1.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicLit_Impl1_IsOpp as IsOpp0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model0 with function Model0.model = Model1.model
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner0 with function Model0.model = Model0.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicClause_Impl2_Equals as Equals0 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicLit_Impl1_LitIn as LitIn0 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicClause_Impl2_ResolventOf as ResolventOf0 with function Model0.model = Model0.model,
-  predicate LitIn0.lit_in = LitIn0.lit_in, predicate IsOpp0.is_opp = IsOpp0.is_opp
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant0 with function Model0.model = Model0.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicConflictAnalysis_LemmaEqFormulas as LemmaEqFormulas0 with predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant,
-  predicate Equals0.equals = Equals0.equals, function Model0.model = Model0.model, axiom .
-  clone CreuSat_Logic_LogicClause_Impl2_InFormulaInner as InFormulaInner0
-  let rec ghost function lemma_resolvent_of_equisat_extension_is_equisat (f : (Seq.seq (Type.creusat_clause_clause), int)) (c : Type.creusat_clause_clause) (c2 : Type.creusat_clause_clause) (c3 : Type.creusat_clause_clause) (k : int) (m : int) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 21 0 21 33] FormulaInvariant0.formula_invariant f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 22 0 22 42] EquisatExtensionInner0.equisat_extension_inner c f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 23 0 23 35] InFormulaInner0.in_formula_inner c2 f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 24 0 24 41] ResolventOf0.resolvent_of c3 c c2 k m}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 25 0 25 42] EquisatExtensionInner0.equisat_extension_inner c3 f }
+  function lemma_resolvent_of_equisat_extension_is_equisat [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_conflict_analysis.rs" 26 0 28 1] (f : (Seq.seq (Type.creusat_clause_clause), int)) (c : Type.creusat_clause_clause) (c2 : Type.creusat_clause_clause) (c3 : Type.creusat_clause_clause) (k : int) (m : int) : ()
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_conflict_analysis.rs" 20 0 20 8] let _ = LemmaEqFormulas0.lemma_eq_formulas f (Seq.snoc (let (a, _) = f in a) c3, let (_, a) = f in a) c3 in ()
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_conflict_analysis.rs" 20 0 20 8] let _ = LemmaEqFormulas0.lemma_eq_formulas f (Seq.snoc (let (a, _) = f in a) c3, let (_, a) = f in a) c3 in ()
+  axiom lemma_resolvent_of_equisat_extension_is_equisat_spec : forall f : (Seq.seq (Type.creusat_clause_clause), int), c : Type.creusat_clause_clause, c2 : Type.creusat_clause_clause, c3 : Type.creusat_clause_clause, k : int, m : int . ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_conflict_analysis.rs" 21 0 21 33] FormulaInvariant0.formula_invariant f) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_conflict_analysis.rs" 22 0 22 42] EquisatExtensionInner0.equisat_extension_inner c f) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_conflict_analysis.rs" 23 0 23 35] InFormulaInner0.in_formula_inner c2 f) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_conflict_analysis.rs" 24 0 24 41] ResolventOf0.resolvent_of c3 c c2 k m) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_conflict_analysis.rs" 25 0 25 42] EquisatExtensionInner0.equisat_extension_inner c3 f)
 end
 module CreusotContracts_Logic_Int_Impl18
   
@@ -4866,17 +2602,6 @@ module Alloc_Vec_Impl1_Push_Interface
   val push [@cfg:stackify] (self : borrowed (Type.alloc_vec_vec t a)) (value : t) : ()
     ensures { Model0.model ( ^ self) = Seq.snoc (Model0.model ( * self)) value }
     
-end
-module Alloc_Vec_Impl1_Push
-  type t
-  type a
-  use seq.Seq
-  use prelude.Prelude
-  use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = t, type a = a, axiom .
-  val push [@cfg:stackify] (self : borrowed (Type.alloc_vec_vec t a)) (value : t) : ()
-    ensures { Model0.model ( ^ self) = Seq.snoc (Model0.model ( * self)) value }
-    
 end
 module CreuSat_Trail_Impl0_DecisionLevel_Interface
   use mach.int.UInt64
@@ -4887,38 +2612,8 @@ module CreuSat_Trail_Impl0_DecisionLevel_Interface
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = usize, type a = Type.alloc_alloc_global,
   axiom .
   val decision_level [@cfg:stackify] (self : Type.creusat_trail_trail) : usize
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 36 4 36 50] UInt64.to_int result = Seq.length (Model0.model (Type.creusat_trail_trail_Trail_decisions self)) }
-    
-end
-module CreuSat_Trail_Impl0_DecisionLevel
-  use mach.int.UInt64
-  use seq.Seq
-  use prelude.Prelude
-  use Type
-  use mach.int.Int
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = usize, type a = Type.alloc_alloc_global,
-  function Model0.model = Model0.model
-  let rec cfg decision_level [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 37 4 37 41] (self : Type.creusat_trail_trail) : usize
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 36 4 36 50] UInt64.to_int result = Seq.length (Model0.model (Type.creusat_trail_trail_Trail_decisions self)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 36 4 36 50] UInt64.to_int result = Seq.length (Model0.model (Type.creusat_trail_trail_Trail_decisions self)) }
     
-   =
-  var _0 : usize;
-  var self_1 : Type.creusat_trail_trail;
-  var _2 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  {
-    self_1 <- self;
-    goto BB0
-  }
-  BB0 {
-    _2 <- Type.creusat_trail_trail_Trail_decisions self_1;
-    _0 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 38 8 38 28] Len0.len _2);
-    goto BB1
-  }
-  BB1 {
-    return _0
-  }
-  
 end
 module CreuSat_ConflictAnalysis_Resolve_Interface
   use mach.int.UInt64
@@ -4927,8 +2622,14 @@ module CreuSat_ConflictAnalysis_Resolve_Interface
   use mach.int.Int32
   use prelude.Prelude
   use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model9 with type t = usize, type a = Type.alloc_alloc_global,
-  axiom .
+  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy4
+  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy3 with type t = usize, type a = Type.alloc_alloc_global
+  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy2 with type t = bool, type a = Type.alloc_alloc_global
+  clone CreusotContracts_Logic_Int_Impl18_ModelTy as ModelTy1
+  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model9 with type t = usize, type a = Type.alloc_alloc_global,
+  axiom .
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model8 with type t = bool, type a = Type.alloc_alloc_global,
   axiom .
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model7
@@ -4936,17 +2637,13 @@ module CreuSat_ConflictAnalysis_Resolve_Interface
   clone CreuSat_Logic_LogicClause_Impl2_Unsat_Interface as Unsat0
   clone CreuSat_Logic_LogicClause_Impl2_ClauseIsSeen_Interface as ClauseIsSeen0
   clone CreuSat_Logic_LogicClause_EquisatExtensionInner_Interface as EquisatExtensionInner0
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy4
   clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model6 with type t = Type.creusat_formula_formula,
   type ModelTy0.modelTy = ModelTy4.modelTy
   clone CreuSat_Logic_LogicUtil_ElemsLessThan_Interface as ElemsLessThan0
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy3 with type t = usize, type a = Type.alloc_alloc_global
   clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model5 with type t = Type.alloc_vec_vec usize (Type.alloc_alloc_global),
   type ModelTy0.modelTy = ModelTy3.modelTy
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy2 with type t = bool, type a = Type.alloc_alloc_global
   clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model4 with type t = Type.alloc_vec_vec bool (Type.alloc_alloc_global),
   type ModelTy0.modelTy = ModelTy2.modelTy
-  clone CreusotContracts_Logic_Int_Impl18_ModelTy as ModelTy1
   clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model3 with type t = usize,
   type ModelTy0.modelTy = ModelTy1.modelTy
   clone CreuSat_Logic_LogicLit_Impl1_SatInner_Interface as SatInner0
@@ -4954,610 +2651,39 @@ module CreuSat_ConflictAnalysis_Resolve_Interface
   clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model2
   clone CreuSat_Logic_LogicClause_Impl2_SameIdxSamePolarityExcept_Interface as SameIdxSamePolarityExcept0
   clone CreuSat_Logic_LogicLit_Impl1_IsOpp_Interface as IsOpp0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
   clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model1 with type t = Type.creusat_clause_clause,
   type ModelTy0.modelTy = ModelTy0.modelTy
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
   clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type ModelTy0.modelTy = ModelTy0.modelTy
   clone CreuSat_Logic_LogicClause_Impl2_InFormula_Interface as InFormula0
   clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
   axiom .
   val resolve [@cfg:stackify] (_f : Type.creusat_formula_formula) (c : borrowed (Type.creusat_clause_clause)) (o : Type.creusat_clause_clause) (idx : usize) (c_idx : usize) (trail : Type.creusat_trail_trail) (seen : borrowed (Type.alloc_vec_vec bool (Type.alloc_alloc_global))) (path_c : borrowed usize) (to_bump : borrowed (Type.alloc_vec_vec usize (Type.alloc_alloc_global))) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 32 0 32 27] Invariant0.invariant' _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 33 0 33 33] Invariant1.invariant' trail _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 34 0 34 32] UInt64.to_int idx < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 35 0 35 30] InFormula0.in_formula o _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 36 0 39 2] UInt64.to_int c_idx < Seq.length (Model0.model c) && IndexLogic0.index_logic (Seq.get (Model0.model c) (UInt64.to_int c_idx)) = UInt64.to_int idx && IsOpp0.is_opp (Seq.get (Model1.model o) 0) (Seq.get (Model0.model c) (UInt64.to_int c_idx))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 40 0 40 54] SameIdxSamePolarityExcept0.same_idx_same_polarity_except ( * c) o (UInt64.to_int idx)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 42 0 42 96] forall j : (int) . 1 <= j && j < Seq.length (Model1.model o) -> UnsatInner0.unsat_inner (Seq.get (Model1.model o) j) (Model2.model (Type.creusat_trail_trail_Trail_assignments trail))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 43 0 43 50] SatInner0.sat_inner (Seq.get (Model1.model o) 0) (Model2.model (Type.creusat_trail_trail_Trail_assignments trail))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 44 0 44 49] Model3.model path_c > 0 && Model3.model path_c <= Seq.length (Model0.model c)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 47 0 47 42] Seq.length (Model4.model seen) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 49 0 49 52] ElemsLessThan0.elems_less_than (Model5.model to_bump) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 51 0 51 49] EquisatExtensionInner0.equisat_extension_inner ( * c) (Model6.model _f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 52 0 52 46] ClauseIsSeen0.clause_is_seen ( * c) ( * seen)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 53 0 53 46] Unsat0.unsat ( * c) (Type.creusat_trail_trail_Trail_assignments trail)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 54 0 54 45] Invariant2.invariant' ( * c) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 45 0 45 35] UInt64.to_int ( ^ path_c) <= Seq.length (Model7.model ( ^ c)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 48 0 48 42] Seq.length (Model8.model ( ^ seen)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 50 0 50 52] ElemsLessThan0.elems_less_than (Model9.model ( ^ to_bump)) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 51 0 51 49] EquisatExtensionInner0.equisat_extension_inner ( ^ c) (Model6.model _f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 52 0 52 46] ClauseIsSeen0.clause_is_seen ( ^ c) ( ^ seen) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 53 0 53 46] Unsat0.unsat ( ^ c) (Type.creusat_trail_trail_Trail_assignments trail) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 54 0 54 45] Invariant2.invariant' ( ^ c) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
-    
-end
-module CreuSat_ConflictAnalysis_Resolve
-  use mach.int.UInt64
-  use mach.int.Int
-  use seq.Seq
-  use mach.int.Int32
-  use prelude.Prelude
-  use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreuSat_Logic_LogicClause_Impl2_InFormulaInner as InFormulaInner0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model15 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model7 with function Model0.model = Model15.model
-  clone CreuSat_Logic_LogicClause_Impl2_Equals as Equals0 with function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicLit_Impl1_LitIn as LitIn0 with function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy4
-  clone CreuSat_Logic_LogicUtil_ElemsLessThan as ElemsLessThan0
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy3 with type t = usize, type a = Type.alloc_alloc_global
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = bool, type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy2 with type t = bool, type a = Type.alloc_alloc_global
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model4 with type t = Type.alloc_vec_vec bool (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy2.modelTy, function Model0.model = Model8.model
-  clone CreusotContracts_Logic_Int_Impl18_Model as Model14
-  clone CreusotContracts_Logic_Int_Impl18_ModelTy as ModelTy1
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model3 with type t = usize,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model14.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model13 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model2 with function Model0.model = Model13.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant3 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant5 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant2 with function Model0.model = Model7.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant2.invariant',
-  function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicConflictAnalysis_LemmaEqFormulas as LemmaEqFormulas0 with predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant,
-  predicate Equals0.equals = Equals0.equals, function Model0.model = Model7.model, axiom .
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model7.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_IdxInLogic as IdxInLogic0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_ClauseIsSeen as ClauseIsSeen0 with function Model0.model = Model8.model,
-  function Model1.model = Model7.model, predicate IdxInLogic0.idx_in_logic = IdxInLogic0.idx_in_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner1 with function Model0.model = Model7.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model2.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model7.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_UnsatInner as UnsatInner1 with function Model0.model = Model7.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Unsat as Unsat0 with function Model0.model = Model2.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_SameIdxSamePolarityExcept as SameIdxSamePolarityExcept0 with function Model0.model = Model7.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Logic_LogicLit_Impl1_IsOpp as IsOpp0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Logic_LogicClause_Impl2_ResolventOf as ResolventOf0 with function Model0.model = Model7.model,
-  predicate LitIn0.lit_in = LitIn0.lit_in, predicate IsOpp0.is_opp = IsOpp0.is_opp
-  clone CreuSat_Logic_LogicConflictAnalysis_LemmaResolventOfEquisatExtensionIsEquisat as LemmaResolventOfEquisatExtensionIsEquisat0 with predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant,
-  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner,
-  predicate InFormulaInner0.in_formula_inner = InFormulaInner0.in_formula_inner,
-  predicate ResolventOf0.resolvent_of = ResolventOf0.resolvent_of,
-  function LemmaEqFormulas0.lemma_eq_formulas = LemmaEqFormulas0.lemma_eq_formulas,
-  predicate Equals0.equals = Equals0.equals, function Model0.model = Model7.model, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model1 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model7.model
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model0 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model7.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model12 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant6 with function Model0.model = Model12.model,
-  function Model1.model = Model7.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant4 with predicate Invariant0.invariant' = Invariant5.invariant',
-  predicate Invariant1.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant4.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model12.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model12.model,
-  function Model1.model = Model7.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model12.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model10 with function Model0.model = Model12.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model6 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy4.modelTy, function Model0.model = Model10.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model12.model,
-  predicate Invariant0.invariant' = Invariant2.invariant', function Model1.model = Model7.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model10.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicClause_Impl2_InFormula as InFormula0 with function Model0.model = Model12.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model11 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model11.model,
-  function Model1.model = Model2.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model11.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model11.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model9.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model2.model,
-  function Model1.model = Model11.model, predicate Invariant0.invariant' = Invariant4.invariant',
-  function Model2.model = Model9.model, function Model3.model = Model12.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model0.model = Model11.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model9.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model2.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model9.model, function Model1.model = Model11.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model5 with type t = Type.alloc_vec_vec usize (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy3.modelTy, function Model0.model = Model9.model
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve4 with type t = Type.alloc_vec_vec usize (Type.alloc_alloc_global)
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve3 with type t = usize
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.alloc_vec_vec bool (Type.alloc_alloc_global)
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy7 with type t = usize
-  clone Core_Slice_Index_Impl2_Output as Output1 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue1 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds1 with type t = usize
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy6 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = bool
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy5 with type t = bool
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = bool
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = bool
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = bool
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = bool
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model16 with type t = Type.alloc_vec_vec (Type.creusat_lit_lit) (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy6.modelTy, function Model0.model = Model15.model
-  clone Alloc_Vec_Impl1_Push_Interface as Push1 with type t = Type.creusat_lit_lit, type a = Type.alloc_alloc_global,
-  function Model0.model = Model15.model
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = bool, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model8.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model17 with type t = Type.alloc_vec_vec bool (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy2.modelTy, function Model0.model = Model8.model
-  clone CreuSat_Lit_Impl1_Index_Interface as Index1 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_ConflictAnalysis_IdxIn_Interface as IdxIn0 with function Model0.model = Model16.model,
-  function Model1.model = Model17.model,
-  predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate IdxInLogic0.idx_in_logic = IdxInLogic0.idx_in_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Clause_Impl0_Index_Interface as Index0 with function Model0.model = Model1.model
-  clone CreuSat_Clause_Impl3_Len_Interface as Len0 with function Model0.model = Model1.model
-  clone CreuSat_Clause_Impl3_RemoveFromClause_Interface as RemoveFromClause0 with predicate Invariant0.invariant' = Invariant2.invariant',
-  function Model0.model = Model0.model, function Model1.model = Model7.model, predicate LitIn0.lit_in = LitIn0.lit_in
-  clone CreuSat_Trail_Impl0_DecisionLevel_Interface as DecisionLevel0 with function Model0.model = Model9.model
-  clone Alloc_Vec_Impl16_Index_Interface as Index2 with type t = usize, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model9.model,
-  predicate InBounds0.in_bounds = InBounds1.in_bounds, predicate HasValue0.has_value = HasValue1.has_value,
-  type Output0.output = Output1.output
-  clone Alloc_Vec_Impl1_Push_Interface as Push0 with type t = usize, type a = Type.alloc_alloc_global,
-  function Model0.model = Model9.model
-  let rec cfg resolve [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 55 0 58 1] (_f : Type.creusat_formula_formula) (c : borrowed (Type.creusat_clause_clause)) (o : Type.creusat_clause_clause) (idx : usize) (c_idx : usize) (trail : Type.creusat_trail_trail) (seen : borrowed (Type.alloc_vec_vec bool (Type.alloc_alloc_global))) (path_c : borrowed usize) (to_bump : borrowed (Type.alloc_vec_vec usize (Type.alloc_alloc_global))) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 32 0 32 27] Invariant0.invariant' _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 33 0 33 33] Invariant1.invariant' trail _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 34 0 34 32] UInt64.to_int idx < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 35 0 35 30] InFormula0.in_formula o _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 36 0 39 2] UInt64.to_int c_idx < Seq.length (Model0.model c) && IndexLogic0.index_logic (Seq.get (Model0.model c) (UInt64.to_int c_idx)) = UInt64.to_int idx && IsOpp0.is_opp (Seq.get (Model1.model o) 0) (Seq.get (Model0.model c) (UInt64.to_int c_idx))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 40 0 40 54] SameIdxSamePolarityExcept0.same_idx_same_polarity_except ( * c) o (UInt64.to_int idx)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 42 0 42 96] forall j : (int) . 1 <= j && j < Seq.length (Model1.model o) -> UnsatInner0.unsat_inner (Seq.get (Model1.model o) j) (Model2.model (Type.creusat_trail_trail_Trail_assignments trail))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 43 0 43 50] SatInner0.sat_inner (Seq.get (Model1.model o) 0) (Model2.model (Type.creusat_trail_trail_Trail_assignments trail))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 44 0 44 49] Model3.model path_c > 0 && Model3.model path_c <= Seq.length (Model0.model c)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 47 0 47 42] Seq.length (Model4.model seen) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 49 0 49 52] ElemsLessThan0.elems_less_than (Model5.model to_bump) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 51 0 51 49] EquisatExtensionInner0.equisat_extension_inner ( * c) (Model6.model _f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 52 0 52 46] ClauseIsSeen0.clause_is_seen ( * c) ( * seen)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 53 0 53 46] Unsat0.unsat ( * c) (Type.creusat_trail_trail_Trail_assignments trail)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 54 0 54 45] Invariant2.invariant' ( * c) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 45 0 45 35] UInt64.to_int ( ^ path_c) <= Seq.length (Model7.model ( ^ c)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 48 0 48 42] Seq.length (Model8.model ( ^ seen)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 50 0 50 52] ElemsLessThan0.elems_less_than (Model9.model ( ^ to_bump)) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 51 0 51 49] EquisatExtensionInner0.equisat_extension_inner ( ^ c) (Model6.model _f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 52 0 52 46] ClauseIsSeen0.clause_is_seen ( ^ c) ( ^ seen) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 53 0 53 46] Unsat0.unsat ( ^ c) (Type.creusat_trail_trail_Trail_assignments trail) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 54 0 54 45] Invariant2.invariant' ( ^ c) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 32 0 32 27] Invariant0.invariant' _f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 33 0 33 33] Invariant1.invariant' trail _f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 34 0 34 32] UInt64.to_int idx < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 35 0 35 30] InFormula0.in_formula o _f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 36 0 39 2] UInt64.to_int c_idx < Seq.length (Model0.model c) /\ IndexLogic0.index_logic (Seq.get (Model0.model c) (UInt64.to_int c_idx)) = UInt64.to_int idx /\ IsOpp0.is_opp (Seq.get (Model1.model o) 0) (Seq.get (Model0.model c) (UInt64.to_int c_idx))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 40 0 40 54] SameIdxSamePolarityExcept0.same_idx_same_polarity_except ( * c) o (UInt64.to_int idx)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 42 0 42 96] forall j : (int) . 1 <= j /\ j < Seq.length (Model1.model o) -> UnsatInner0.unsat_inner (Seq.get (Model1.model o) j) (Model2.model (Type.creusat_trail_trail_Trail_assignments trail))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 43 0 43 50] SatInner0.sat_inner (Seq.get (Model1.model o) 0) (Model2.model (Type.creusat_trail_trail_Trail_assignments trail))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 44 0 44 49] Model3.model path_c > 0 /\ Model3.model path_c <= Seq.length (Model0.model c)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 47 0 47 42] Seq.length (Model4.model seen) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 49 0 49 52] ElemsLessThan0.elems_less_than (Model5.model to_bump) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 51 0 51 49] EquisatExtensionInner0.equisat_extension_inner ( * c) (Model6.model _f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 52 0 52 46] ClauseIsSeen0.clause_is_seen ( * c) ( * seen)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 53 0 53 46] Unsat0.unsat ( * c) (Type.creusat_trail_trail_Trail_assignments trail)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 54 0 54 45] Invariant2.invariant' ( * c) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 45 0 45 35] UInt64.to_int ( ^ path_c) <= Seq.length (Model7.model ( ^ c)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 48 0 48 42] Seq.length (Model8.model ( ^ seen)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 50 0 50 52] ElemsLessThan0.elems_less_than (Model9.model ( ^ to_bump)) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 51 0 51 49] EquisatExtensionInner0.equisat_extension_inner ( ^ c) (Model6.model _f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 52 0 52 46] ClauseIsSeen0.clause_is_seen ( ^ c) ( ^ seen) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 53 0 53 46] Unsat0.unsat ( ^ c) (Type.creusat_trail_trail_Trail_assignments trail) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 54 0 54 45] Invariant2.invariant' ( ^ c) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
     
-   =
-  var _0 : ();
-  var _f_1 : Type.creusat_formula_formula;
-  var c_2 : borrowed (Type.creusat_clause_clause);
-  var o_3 : Type.creusat_clause_clause;
-  var idx_4 : usize;
-  var c_idx_5 : usize;
-  var trail_6 : Type.creusat_trail_trail;
-  var seen_7 : borrowed (Type.alloc_vec_vec bool (Type.alloc_alloc_global));
-  var path_c_8 : borrowed usize;
-  var to_bump_9 : borrowed (Type.alloc_vec_vec usize (Type.alloc_alloc_global));
-  ghost var old_c_10 : borrowed (Type.creusat_clause_clause);
-  var _11 : ();
-  ghost var old_seen_12 : borrowed (Type.alloc_vec_vec bool (Type.alloc_alloc_global));
-  var _13 : ();
-  ghost var old_path_c_14 : borrowed usize;
-  var _15 : ();
-  ghost var old_to_bump_16 : borrowed (Type.alloc_vec_vec usize (Type.alloc_alloc_global));
-  var _17 : ();
-  var _18 : ();
-  var _19 : ();
-  var _20 : borrowed (Type.creusat_clause_clause);
-  var _21 : usize;
-  var _22 : Type.creusat_formula_formula;
-  var _23 : borrowed bool;
-  var _24 : borrowed (Type.alloc_vec_vec bool (Type.alloc_alloc_global));
-  var _25 : usize;
-  var _26 : ();
-  var _27 : ();
-  ghost var old_c2_28 : borrowed (Type.creusat_clause_clause);
-  var _29 : ();
-  var _30 : ();
-  var _31 : ();
-  var _32 : ();
-  var i_33 : usize;
-  var _34 : ();
-  var _35 : ();
-  var _36 : bool;
-  var _37 : usize;
-  var _38 : usize;
-  var _39 : Type.creusat_clause_clause;
-  ghost var old_c3_40 : borrowed (Type.creusat_clause_clause);
-  var _41 : ();
-  var _42 : ();
-  var _43 : ();
-  var _44 : bool;
-  var _45 : Type.alloc_vec_vec (Type.creusat_lit_lit) (Type.alloc_alloc_global);
-  var _46 : Type.alloc_vec_vec (Type.creusat_lit_lit) (Type.alloc_alloc_global);
-  var _47 : usize;
-  var _48 : Type.creusat_lit_lit;
-  var _49 : Type.creusat_lit_lit;
-  var _50 : Type.creusat_clause_clause;
-  var _51 : usize;
-  var _52 : Type.alloc_vec_vec bool (Type.alloc_alloc_global);
-  var _53 : borrowed (Type.alloc_vec_vec bool (Type.alloc_alloc_global));
-  var _54 : ();
-  var _55 : ();
-  var _56 : borrowed bool;
-  var _57 : borrowed (Type.alloc_vec_vec bool (Type.alloc_alloc_global));
-  var _58 : usize;
-  var _59 : Type.creusat_lit_lit;
-  var _60 : Type.creusat_lit_lit;
-  var _61 : Type.creusat_clause_clause;
-  var _62 : usize;
-  var _63 : ();
-  var _64 : borrowed (Type.alloc_vec_vec usize (Type.alloc_alloc_global));
-  var _65 : usize;
-  var _66 : Type.creusat_lit_lit;
-  var _67 : Type.creusat_lit_lit;
-  var _68 : Type.creusat_clause_clause;
-  var _69 : usize;
-  var _70 : ();
-  var _71 : borrowed (Type.alloc_vec_vec (Type.creusat_lit_lit) (Type.alloc_alloc_global));
-  var _72 : Type.creusat_lit_lit;
-  var _73 : Type.creusat_lit_lit;
-  var _74 : Type.creusat_clause_clause;
-  var _75 : usize;
-  var _76 : ();
-  var _77 : bool;
-  var _78 : usize;
-  var _79 : usize;
-  var _80 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _81 : usize;
-  var _82 : Type.creusat_lit_lit;
-  var _83 : Type.creusat_lit_lit;
-  var _84 : Type.creusat_clause_clause;
-  var _85 : usize;
-  var _86 : usize;
-  var _87 : Type.creusat_trail_trail;
-  var _88 : ();
-  var _89 : ();
-  var _90 : ();
-  var _91 : ();
-  var _92 : ();
-  var _93 : ();
-  var _94 : ();
-  var _95 : ();
-  {
-    _f_1 <- _f;
-    c_2 <- c;
-    o_3 <- o;
-    idx_4 <- idx;
-    c_idx_5 <- c_idx;
-    trail_6 <- trail;
-    seen_7 <- seen;
-    path_c_8 <- path_c;
-    to_bump_9 <- to_bump;
-    goto BB0
-  }
-  BB0 {
-    _11 <- ();
-    old_c_10 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 59 16 59 25] c_2);
-    goto BB1
-  }
-  BB1 {
-    _13 <- ();
-    old_seen_12 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 60 19 60 31] seen_7);
-    goto BB2
-  }
-  BB2 {
-    _15 <- ();
-    old_path_c_14 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 61 21 61 35] path_c_8);
-    goto BB3
-  }
-  BB3 {
-    _17 <- ();
-    old_to_bump_16 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 62 22 62 37] to_bump_9);
-    goto BB4
-  }
-  BB4 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 64 4 64 42] ClauseIsSeen0.clause_is_seen ( * c_2) ( * seen_7) };
-    _18 <- ();
-    _20 <- borrow_mut ( * c_2);
-    c_2 <- { c_2 with current = ( ^ _20) };
-    _21 <- c_idx_5;
-    _22 <- _f_1;
-    _19 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 66 4 66 35] RemoveFromClause0.remove_from_clause _20 _21 _22);
-    goto BB5
-  }
-  BB5 {
-    path_c_8 <- { path_c_8 with current = ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 68 4 68 16]  * path_c_8 - (1 : usize)) };
-    _24 <- borrow_mut ( * seen_7);
-    seen_7 <- { seen_7 with current = ( ^ _24) };
-    _25 <- idx_4;
-    _23 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 69 4 69 13] IndexMut0.index_mut _24 _25);
-    goto BB6
-  }
-  BB6 {
-    _23 <- { _23 with current = false };
-    assume { Resolve0.resolve _23 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 71 4 71 45]  ^ seen_7 =  ^ old_seen_12 };
-    _26 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 72 4 72 42] ClauseIsSeen0.clause_is_seen ( * c_2) ( * seen_7) };
-    _27 <- ();
-    _29 <- ();
-    old_c2_28 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 73 17 73 26] c_2);
-    goto BB7
-  }
-  BB7 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 74 4 74 47] not LitIn0.lit_in (Seq.get (Model0.model old_c_10) (UInt64.to_int c_idx_5)) ( * c_2) };
-    _30 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 75 4 75 39]  ^ c_2 =  ^ old_c_10 };
-    _31 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 76 4 77 50] forall j : (int) . 0 <= j && j < Seq.length (Model0.model old_c_10) && j <> UInt64.to_int c_idx_5 -> LitIn0.lit_in (Seq.get (Model0.model old_c_10) j) ( * c_2) };
-    _32 <- ();
-    i_33 <- (1 : usize);
-    goto BB8
-  }
-  BB8 {
-    invariant inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 81 4 81 48] Invariant2.invariant' ( * c_2) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f_1)) };
-    invariant all_unsat { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 82 4 82 55] Unsat0.unsat ( * c_2) (Type.creusat_trail_trail_Trail_assignments trail_6) };
-    invariant i_bound { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 83 4 83 54] 1 <= UInt64.to_int i_33 && UInt64.to_int i_33 <= Seq.length (Model1.model o_3) };
-    invariant not_in { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 84 4 84 77] not LitIn0.lit_in (Seq.get (Model0.model old_c_10) (UInt64.to_int c_idx_5)) ( * c_2) && not LitIn0.lit_in (Seq.get (Model1.model o_3) 0) ( * c_2) };
-    invariant all_in { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 85 4 85 80] forall j : (int) . 1 <= j && j < UInt64.to_int i_33 -> LitIn0.lit_in (Seq.get (Model1.model o_3) j) ( * c_2) };
-    invariant all_in2 { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 86 4 87 51] forall j : (int) . 0 <= j && j < Seq.length (Model0.model old_c_10) && j <> UInt64.to_int c_idx_5 -> LitIn0.lit_in (Seq.get (Model0.model old_c_10) j) ( * c_2) };
-    invariant from_c_or_o { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 88 4 89 78] forall j : (int) . 0 <= j && j < Seq.length (Model0.model c_2) -> LitIn0.lit_in (Seq.get (Model0.model c_2) j) ( * old_c_10) || LitIn0.lit_in (Seq.get (Model0.model c_2) j) o_3 };
-    invariant path_c_less { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 90 4 90 52] Model3.model path_c_8 <= Seq.length (Model0.model c_2) };
-    invariant seen_is_clause { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 91 4 91 57] ClauseIsSeen0.clause_is_seen ( * c_2) ( * seen_7) };
-    invariant seen_len { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 92 4 92 57] Seq.length (Model4.model seen_7) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f_1) };
-    invariant elems_less { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 93 4 93 69] ElemsLessThan0.elems_less_than (Model5.model to_bump_9) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f_1)) };
-    invariant proph_c { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 94 4 94 47]  ^ c_2 =  ^ old_c_10 };
-    invariant proph_seen { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 95 4 95 56]  ^ seen_7 =  ^ old_seen_12 };
-    invariant proph_path_c { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 96 4 96 62]  ^ path_c_8 =  ^ old_path_c_14 };
-    invariant proph_to_bump { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 97 4 97 65]  ^ to_bump_9 =  ^ old_to_bump_16 };
-    _37 <- i_33;
-    _39 <- o_3;
-    _38 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 98 14 98 21] Len0.len _39);
-    goto BB9
-  }
-  BB9 {
-    _36 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 98 10 98 21] _37 < _38);
-    switch (_36)
-      | False -> goto BB33
-      | _ -> goto BB10
-      end
-  }
-  BB10 {
-    _41 <- ();
-    old_c3_40 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 99 21 99 30] c_2);
-    goto BB11
-  }
-  BB11 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 100 8 100 44]  ^ c_2 =  ^ old_c3_40 };
-    _42 <- ();
-    _46 <- Type.creusat_clause_clause_Clause_lits ( * c_2);
-    _45 <- _46;
-    _50 <- o_3;
-    _51 <- i_33;
-    _49 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 101 27 101 31] Index0.index _50 _51);
-    goto BB12
-  }
-  BB12 {
-    _48 <- _49;
-    _47 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 101 27 101 39] Index1.index _48);
-    goto BB13
-  }
-  BB13 {
-    _53 <- seen_7;
-    _52 <-  * _53;
-    _44 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 101 11 101 47] IdxIn0.idx_in _45 _47 _52);
-    goto BB14
-  }
-  BB14 {
-    switch (_44)
-      | False -> goto BB16
-      | _ -> goto BB15
-      end
-  }
-  BB15 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 103 12 103 46] LitIn0.lit_in (Seq.get (Model1.model o_3) (UInt64.to_int i_33)) ( * c_2) };
-    _54 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 104 12 104 40] Model0.model c_2 = Model0.model old_c3_40 };
-    _55 <- ();
-    _43 <- ();
-    goto BB32
-  }
-  BB16 {
-    _57 <- borrow_mut ( * seen_7);
-    seen_7 <- { seen_7 with current = ( ^ _57) };
-    _61 <- o_3;
-    _62 <- i_33;
-    _60 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 106 17 106 21] Index0.index _61 _62);
-    goto BB17
-  }
-  BB17 {
-    _59 <- _60;
-    _58 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 106 17 106 29] Index1.index _59);
-    goto BB18
-  }
-  BB18 {
-    _56 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 106 12 106 30] IndexMut0.index_mut _57 _58);
-    goto BB19
-  }
-  BB19 {
-    _56 <- { _56 with current = true };
-    assume { Resolve0.resolve _56 };
-    _64 <- borrow_mut ( * to_bump_9);
-    to_bump_9 <- { to_bump_9 with current = ( ^ _64) };
-    _68 <- o_3;
-    _69 <- i_33;
-    _67 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 107 25 107 29] Index0.index _68 _69);
-    goto BB20
-  }
-  BB20 {
-    _66 <- _67;
-    _65 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 107 25 107 37] Index1.index _66);
-    goto BB21
-  }
-  BB21 {
-    _63 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 107 12 107 38] Push0.push _64 _65);
-    goto BB22
-  }
-  BB22 {
-    _71 <- borrow_mut (Type.creusat_clause_clause_Clause_lits ( * c_2));
-    c_2 <- { c_2 with current = (let Type.CreuSat_Clause_Clause a b c d =  * c_2 in Type.CreuSat_Clause_Clause a b c ( ^ _71)) };
-    _74 <- o_3;
-    _75 <- i_33;
-    _73 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 108 24 108 28] Index0.index _74 _75);
-    goto BB23
-  }
-  BB23 {
-    _72 <- _73;
-    _70 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 108 12 108 29] Push1.push _71 _72);
-    goto BB24
-  }
-  BB24 {
-    _80 <- Type.creusat_trail_trail_Trail_lit_to_level trail_6;
-    _84 <- o_3;
-    _85 <- i_33;
-    _83 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 109 34 109 38] Index0.index _84 _85);
-    goto BB25
-  }
-  BB25 {
-    _82 <- _83;
-    _81 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 109 34 109 46] Index1.index _82);
-    goto BB26
-  }
-  BB26 {
-    _79 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 109 15 109 47] Index2.index _80 _81);
-    goto BB27
-  }
-  BB27 {
-    _78 <- _79;
-    _87 <- trail_6;
-    _86 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 109 51 109 73] DecisionLevel0.decision_level _87);
-    goto BB28
-  }
-  BB28 {
-    _77 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 109 15 109 73] _78 >= _86);
-    switch (_77)
-      | False -> goto BB30
-      | _ -> goto BB29
-      end
-  }
-  BB29 {
-    path_c_8 <- { path_c_8 with current = ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 110 16 110 28]  * path_c_8 + (1 : usize)) };
-    _76 <- ();
-    goto BB31
-  }
-  BB30 {
-    _76 <- ();
-    goto BB31
-  }
-  BB31 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 112 12 112 57] Model0.model c_2 = Seq.snoc (Model0.model old_c3_40) (Seq.get (Model1.model o_3) (UInt64.to_int i_33)) };
-    _88 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 113 12 113 46] LitIn0.lit_in (Seq.get (Model1.model o_3) (UInt64.to_int i_33)) ( * c_2) };
-    _89 <- ();
-    _43 <- ();
-    goto BB32
-  }
-  BB32 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 115 8 116 38] forall j : (int) . 0 <= j && j < Seq.length (Model0.model old_c3_40) -> Seq.get (Model0.model old_c3_40) j = Seq.get (Model0.model c_2) j };
-    _90 <- ();
-    i_33 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 117 8 117 14] i_33 + (1 : usize));
-    _35 <- ();
-    goto BB8
-  }
-  BB33 {
-    assume { Resolve1.resolve c_2 };
-    assume { Resolve2.resolve seen_7 };
-    assume { Resolve3.resolve path_c_8 };
-    assume { Resolve4.resolve to_bump_9 };
-    _34 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 119 4 119 64] ResolventOf0.resolvent_of ( * c_2) ( * old_c_10) o_3 0 (UInt64.to_int c_idx_5) };
-    _94 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 120 4 120 111] let _ = LemmaResolventOfEquisatExtensionIsEquisat0.lemma_resolvent_of_equisat_extension_is_equisat (Model6.model _f_1) ( * old_c_10) o_3 ( * c_2) (UInt64.to_int c_idx_5) 0 in true };
-    _95 <- ();
-    _0 <- ();
-    return _0
-  }
-  
 end
 module CreuSat_ConflictAnalysis_ChooseLiteral_Interface
   use seq.Seq
@@ -5566,372 +2692,66 @@ module CreuSat_ConflictAnalysis_ChooseLiteral_Interface
   use Type
   use prelude.Prelude
   use mach.int.Int32
+  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy2
+  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy1 with type t = bool, type a = Type.alloc_alloc_global
+  clone CreusotContracts_Logic_Int_Impl18_ModelTy as ModelTy0
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
   clone CreuSat_Logic_LogicLit_Impl1_IsOpp_Interface as IsOpp0
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy2
   clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model3 with type t = Type.creusat_clause_clause,
   type ModelTy0.modelTy = ModelTy2.modelTy
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy1 with type t = bool, type a = Type.alloc_alloc_global
   clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model2 with type t = Type.alloc_vec_vec bool (Type.alloc_alloc_global),
   type ModelTy0.modelTy = ModelTy1.modelTy
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.creusat_trail_step,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Logic_Int_Impl18_ModelTy as ModelTy0
   clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model0 with type t = usize,
   type ModelTy0.modelTy = ModelTy0.modelTy
   clone CreuSat_Logic_LogicClause_Impl2_Unsat_Interface as Unsat0
   clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant0
   val choose_literal [@cfg:stackify] (c : Type.creusat_clause_clause) (trail : Type.creusat_trail_trail) (i : borrowed usize) (_f : Type.creusat_formula_formula) (seen : Type.alloc_vec_vec bool (Type.alloc_alloc_global)) : Type.core_option_option usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 125 0 125 33] Invariant0.invariant' trail _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 126 0 126 39] Unsat0.unsat c (Type.creusat_trail_trail_Trail_assignments trail)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 127 0 127 39] Model0.model i <= Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail trail))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 128 0 128 42] Seq.length (Model2.model seen) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 129 0 137 3] match (result) with
-      | Type.Core_Option_Option_Some r -> UInt64.to_int r < Seq.length (Model3.model c) && IsOpp0.is_opp (Seq.get (Model3.model c) (UInt64.to_int r)) (Type.creusat_trail_step_Step_lit (Seq.get (Model1.model (Type.creusat_trail_trail_Trail_trail trail)) (UInt64.to_int ( ^ i)))) && IndexLogic0.index_logic (Seq.get (Model3.model c) (UInt64.to_int r)) = IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit (Seq.get (Model1.model (Type.creusat_trail_trail_Trail_trail trail)) (UInt64.to_int ( ^ i)))) && UInt64.to_int ( ^ i) < Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail trail))
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 125 0 125 33] Invariant0.invariant' trail _f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 126 0 126 39] Unsat0.unsat c (Type.creusat_trail_trail_Trail_assignments trail)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 127 0 127 39] Model0.model i <= Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail trail))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 128 0 128 42] Seq.length (Model2.model seen) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 129 0 137 3] match (result) with
+      | Type.Core_Option_Option_Some r -> UInt64.to_int r < Seq.length (Model3.model c) /\ IsOpp0.is_opp (Seq.get (Model3.model c) (UInt64.to_int r)) (Type.creusat_trail_step_Step_lit (Seq.get (Model1.model (Type.creusat_trail_trail_Trail_trail trail)) (UInt64.to_int ( ^ i)))) /\ IndexLogic0.index_logic (Seq.get (Model3.model c) (UInt64.to_int r)) = IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit (Seq.get (Model1.model (Type.creusat_trail_trail_Trail_trail trail)) (UInt64.to_int ( ^ i)))) /\ UInt64.to_int ( ^ i) < Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail trail))
       | Type.Core_Option_Option_None -> UInt64.to_int ( ^ i) = 0
       end }
     
 end
-module CreuSat_ConflictAnalysis_ChooseLiteral
-  use seq.Seq
+module CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface
+  use Type
   use mach.int.Int
-  use mach.int.UInt64
+  predicate invariant' (self : Type.creusat_decision_decisions) (n : int)
+end
+module CreuSat_Logic_LogicDecision_Impl0_Invariant
   use Type
-  use prelude.Prelude
-  use mach.int.Int32
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model11 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model8 with function Model0.model = Model11.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model10 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model5 with function Model0.model = Model10.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant1 with function Model0.model = Model5.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant4 with function Model0.model = Model9.model,
-  function Model1.model = Model8.model
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model5.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model9.model,
-  function Model1.model = Model8.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant3 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant2 with predicate Invariant0.invariant' = Invariant3.invariant',
-  predicate Invariant1.invariant' = Invariant4.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant2.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model8.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model9.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicClause_Impl2_UnsatInner as UnsatInner0 with function Model0.model = Model8.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Unsat as Unsat0 with function Model0.model = Model5.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model8.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model9.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicLit_Impl1_IsOpp as IsOpp0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy2
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model3 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy2.modelTy, function Model0.model = Model8.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = bool, type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy1 with type t = bool, type a = Type.alloc_alloc_global
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model2 with type t = Type.alloc_vec_vec bool (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model7.model
-  clone CreusotContracts_Logic_Int_Impl18_Model as Model6
-  clone CreusotContracts_Logic_Int_Impl18_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model0 with type t = usize,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model6.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model1.model,
-  function Model1.model = Model5.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model1.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model1.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model4.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model5.model,
-  function Model1.model = Model1.model, predicate Invariant0.invariant' = Invariant2.invariant',
-  function Model2.model = Model4.model, function Model3.model = Model9.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant1.invariant', function Model0.model = Model1.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model4.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model5.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant0 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model4.model, function Model1.model = Model1.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy4 with type t = bool
-  clone Core_Slice_Index_Impl2_Output as Output1 with type t = bool
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue1 with type t = bool
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds1 with type t = bool
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy3 with type t = Type.creusat_trail_step
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.creusat_trail_step
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.creusat_trail_step
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.creusat_trail_step
-  clone CreuSat_Lit_Impl1_Index_Interface as Index1 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Clause_Impl0_Index_Interface as Index3 with function Model0.model = Model3.model
-  clone CreuSat_Clause_Impl3_Len_Interface as Len0 with function Model0.model = Model3.model
-  clone Alloc_Vec_Impl16_Index_Interface as Index2 with type t = bool, type i = usize, type a = Type.alloc_alloc_global,
-  function Model0.model = Model7.model, predicate InBounds0.in_bounds = InBounds1.in_bounds,
-  predicate HasValue0.has_value = HasValue1.has_value, type Output0.output = Output1.output
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = Type.creusat_trail_step, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model1.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  let rec cfg choose_literal [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 138 0 138 108] (c : Type.creusat_clause_clause) (trail : Type.creusat_trail_trail) (i : borrowed usize) (_f : Type.creusat_formula_formula) (seen : Type.alloc_vec_vec bool (Type.alloc_alloc_global)) : Type.core_option_option usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 125 0 125 33] Invariant0.invariant' trail _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 126 0 126 39] Unsat0.unsat c (Type.creusat_trail_trail_Trail_assignments trail)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 127 0 127 39] Model0.model i <= Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail trail))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 128 0 128 42] Seq.length (Model2.model seen) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 129 0 137 3] match (result) with
-      | Type.Core_Option_Option_Some r -> UInt64.to_int r < Seq.length (Model3.model c) && IsOpp0.is_opp (Seq.get (Model3.model c) (UInt64.to_int r)) (Type.creusat_trail_step_Step_lit (Seq.get (Model1.model (Type.creusat_trail_trail_Trail_trail trail)) (UInt64.to_int ( ^ i)))) && IndexLogic0.index_logic (Seq.get (Model3.model c) (UInt64.to_int r)) = IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit (Seq.get (Model1.model (Type.creusat_trail_trail_Trail_trail trail)) (UInt64.to_int ( ^ i)))) && UInt64.to_int ( ^ i) < Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail trail))
-      | Type.Core_Option_Option_None -> UInt64.to_int ( ^ i) = 0
-      end }
-    
-   =
-  var _0 : Type.core_option_option usize;
-  var c_1 : Type.creusat_clause_clause;
-  var trail_2 : Type.creusat_trail_trail;
-  var i_3 : borrowed usize;
-  var _f_4 : Type.creusat_formula_formula;
-  var seen_5 : Type.alloc_vec_vec bool (Type.alloc_alloc_global);
-  ghost var old_i_6 : borrowed usize;
-  var _7 : ();
-  var _8 : ();
-  var _9 : ();
-  var _10 : bool;
-  var _11 : usize;
-  var _12 : bool;
-  var _13 : bool;
-  var _14 : Type.alloc_vec_vec bool (Type.alloc_alloc_global);
-  var _15 : usize;
-  var _16 : Type.creusat_lit_lit;
-  var _17 : Type.creusat_trail_step;
-  var _18 : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global);
-  var _19 : usize;
-  var k_20 : usize;
-  var _21 : bool;
-  var _22 : usize;
-  var _23 : usize;
-  var _24 : Type.creusat_clause_clause;
-  var _25 : ();
-  var _26 : bool;
-  var _27 : usize;
-  var _28 : Type.creusat_lit_lit;
-  var _29 : Type.creusat_trail_step;
-  var _30 : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global);
-  var _31 : usize;
-  var _32 : usize;
-  var _33 : Type.creusat_lit_lit;
-  var _34 : Type.creusat_lit_lit;
-  var _35 : Type.creusat_clause_clause;
-  var _36 : usize;
-  var _37 : ();
-  var _38 : usize;
-  var _39 : ();
-  var _40 : ();
-  var _41 : ();
-  var _42 : ();
-  var _43 : ();
-  var _44 : ();
-  {
-    c_1 <- c;
-    trail_2 <- trail;
-    i_3 <- i;
-    _f_4 <- _f;
-    seen_5 <- seen;
-    goto BB0
-  }
-  BB0 {
-    _7 <- ();
-    old_i_6 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 139 16 139 26] i_3);
-    goto BB1
-  }
-  BB1 {
-    goto BB2
-  }
-  BB2 {
-    invariant i_bound { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 140 4 140 64] 0 <= Model0.model i_3 && Model0.model i_3 <= Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail trail_2)) };
-    invariant proph_i { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 141 4 141 47]  ^ i_3 =  ^ old_i_6 };
-    _11 <-  * i_3;
-    _10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 142 10 142 16] _11 > (0 : usize));
-    switch (_10)
-      | False -> goto BB20
-      | _ -> goto BB3
-      end
-  }
-  BB3 {
-    i_3 <- { i_3 with current = ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 143 8 143 15]  * i_3 - (1 : usize)) };
-    _14 <- seen_5;
-    _18 <- Type.creusat_trail_trail_Trail_trail trail_2;
-    _19 <-  * i_3;
-    _17 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 144 16 144 31] Index0.index _18 _19);
-    goto BB4
-  }
-  BB4 {
-    _16 <- Type.creusat_trail_step_Step_lit _17;
-    _15 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 144 16 144 43] Index1.index _16);
-    goto BB5
-  }
-  BB5 {
-    _13 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 144 11 144 44] Index2.index _14 _15);
-    goto BB6
-  }
-  BB6 {
-    _12 <- _13;
-    switch (_12)
-      | False -> goto BB18
-      | _ -> goto BB7
-      end
-  }
-  BB7 {
-    k_20 <- (0 : usize);
-    goto BB8
-  }
-  BB8 {
-    invariant i_bound2 { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 146 12 146 72] 0 <= Model0.model i_3 && Model0.model i_3 < Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail trail_2)) };
-    invariant k_bound { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 147 12 147 62] 0 <= UInt64.to_int k_20 && UInt64.to_int k_20 <= Seq.length (Model3.model c_1) };
-    invariant proph_i2 { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 148 12 148 56]  ^ i_3 =  ^ old_i_6 };
-    _22 <- k_20;
-    _24 <- c_1;
-    _23 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 149 22 149 29] Len0.len _24);
-    goto BB9
-  }
-  BB9 {
-    _21 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 149 18 149 29] _22 < _23);
-    switch (_21)
-      | False -> goto BB17
-      | _ -> goto BB10
-      end
-  }
-  BB10 {
-    _30 <- Type.creusat_trail_trail_Trail_trail trail_2;
-    _31 <-  * i_3;
-    _29 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 150 19 150 34] Index0.index _30 _31);
-    goto BB11
-  }
-  BB11 {
-    _28 <- Type.creusat_trail_step_Step_lit _29;
-    _27 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 150 19 150 46] Index1.index _28);
-    goto BB12
-  }
-  BB12 {
-    _35 <- c_1;
-    _36 <- k_20;
-    _34 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 150 50 150 54] Index3.index _35 _36);
-    goto BB13
-  }
-  BB13 {
-    _33 <- _34;
-    _32 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 150 50 150 62] Index1.index _33);
-    goto BB14
-  }
-  BB14 {
-    _26 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 150 19 150 62] _27 = _32);
-    switch (_26)
-      | False -> goto BB16
-      | _ -> goto BB15
-      end
-  }
-  BB15 {
-    assume { Resolve0.resolve i_3 };
-    _38 <- k_20;
-    _0 <- Type.Core_Option_Option_Some _38;
-    goto BB21
-  }
-  BB16 {
-    _25 <- ();
-    k_20 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 153 16 153 22] k_20 + (1 : usize));
-    _9 <- ();
-    goto BB8
-  }
-  BB17 {
-    _9 <- ();
-    goto BB19
-  }
-  BB18 {
-    _9 <- ();
-    goto BB19
-  }
-  BB19 {
-    goto BB2
-  }
-  BB20 {
-    assume { Resolve0.resolve i_3 };
-    _8 <- ();
-    _0 <- Type.Core_Option_Option_None;
-    goto BB21
-  }
-  BB21 {
-    return _0
-  }
-  
-end
-module CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface
-  use Type
-  use mach.int.Int
-  predicate invariant' (self : Type.creusat_decision_decisions) (n : int)
-end
-module CreuSat_Logic_LogicDecision_Impl0_Invariant
-  use Type
-  use mach.int.Int
-  use seq.Seq
-  use mach.int.UInt64
+  use mach.int.Int
+  use seq.Seq
+  use mach.int.UInt64
   use prelude.Prelude
   use mach.int.Int32
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_decision_node,
   type a = Type.alloc_alloc_global, axiom .
-  predicate invariant' [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_decision.rs" 9 4 9 42] (self : Type.creusat_decision_decisions) (n : int)
+  predicate invariant' [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_decision.rs" 9 4 9 42] (self : Type.creusat_decision_decisions) (n : int)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_decision.rs" 10 8 17 9] Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list self)) = n && (UInt64.to_int (Type.creusat_decision_decisions_Decisions_search self) < Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list self)) || UInt64.to_int (Type.creusat_decision_decisions_Decisions_search self) = 18446744073709551615) && UInt64.to_int (Type.creusat_decision_decisions_Decisions_start self) < Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list self)) && (forall i : (int) . 0 <= i && i < Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list self)) -> (UInt64.to_int (Type.creusat_decision_node_Node_next (Seq.get (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list self)) i)) = 18446744073709551615 || UInt64.to_int (Type.creusat_decision_node_Node_next (Seq.get (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list self)) i)) < n) && (UInt64.to_int (Type.creusat_decision_node_Node_prev (Seq.get (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list self)) i)) = 18446744073709551615 || UInt64.to_int (Type.creusat_decision_node_Node_prev (Seq.get (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list self)) i)) < n))
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_decision.rs" 10 8 17 9] Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list self)) = n /\ (UInt64.to_int (Type.creusat_decision_decisions_Decisions_search self) < Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list self)) \/ UInt64.to_int (Type.creusat_decision_decisions_Decisions_search self) = 18446744073709551615) /\ UInt64.to_int (Type.creusat_decision_decisions_Decisions_start self) < Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list self)) /\ (forall i : (int) . 0 <= i /\ i < Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list self)) -> (UInt64.to_int (Type.creusat_decision_node_Node_next (Seq.get (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list self)) i)) = 18446744073709551615 \/ UInt64.to_int (Type.creusat_decision_node_Node_next (Seq.get (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list self)) i)) < n) /\ (UInt64.to_int (Type.creusat_decision_node_Node_prev (Seq.get (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list self)) i)) = 18446744073709551615 \/ UInt64.to_int (Type.creusat_decision_node_Node_prev (Seq.get (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list self)) i)) < n))
 end
-module CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable_Interface
+module CreuSat_Logic_LogicFormula_Impl2_NotSatisfiable_Interface
   use Type
   predicate not_satisfiable (self : Type.creusat_formula_formula)
 end
-module CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable
+module CreuSat_Logic_LogicFormula_Impl2_NotSatisfiable
   use Type
   use seq.Seq
   use mach.int.Int
   use mach.int.Int32
   clone CreuSat_Logic_LogicClause_Impl2_EquisatExtension_Interface as EquisatExtension0
   clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
-  predicate not_satisfiable [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 168 4 168 40] (self : Type.creusat_formula_formula)
+  predicate not_satisfiable [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 175 4 175 40] (self : Type.creusat_formula_formula)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 169 8 171 9] exists c : (Type.creusat_clause_clause) . Seq.length (Model0.model c) = 0 && EquisatExtension0.equisat_extension c self
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 176 8 178 9] exists c : (Type.creusat_clause_clause) . Seq.length (Model0.model c) = 0 /\ EquisatExtension0.equisat_extension c self
 end
 module Alloc_Vec_Impl0_New_Interface
   type t
@@ -5944,18 +2764,6 @@ module Alloc_Vec_Impl0_New_Interface
   val new [@cfg:stackify] (_ : ()) : Type.alloc_vec_vec t (Type.alloc_alloc_global)
     ensures { Seq.length (Model0.model result) = 0 }
     
-end
-module Alloc_Vec_Impl0_New
-  type t
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = t, type a = Type.alloc_alloc_global,
-  axiom .
-  val new [@cfg:stackify] (_ : ()) : Type.alloc_vec_vec t (Type.alloc_alloc_global)
-    ensures { Seq.length (Model0.model result) = 0 }
-    
 end
 module CreuSat_Formula_Impl0_Index_Interface
   use mach.int.UInt64
@@ -5967,59 +2775,9 @@ module CreuSat_Formula_Impl0_Index_Interface
   clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_formula_formula,
   type ModelTy0.modelTy = ModelTy0.modelTy
   val index [@cfg:stackify] (self : Type.creusat_formula_formula) (ix : usize) : Type.creusat_clause_clause
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 29 4 29 38] UInt64.to_int ix < Seq.length (let (a, _) = Model0.model self in a)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 30 4 30 41] Seq.get (let (a, _) = Model0.model self in a) (UInt64.to_int ix) = result }
-    
-end
-module CreuSat_Formula_Impl0_Index
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model1 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = Type.creusat_clause_clause
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.creusat_clause_clause
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = Type.creusat_clause_clause, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model2.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  let rec cfg index [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 31 4 31 41] (self : Type.creusat_formula_formula) (ix : usize) : Type.creusat_clause_clause
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 29 4 29 38] UInt64.to_int ix < Seq.length (let (a, _) = Model0.model self in a)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 30 4 30 41] Seq.get (let (a, _) = Model0.model self in a) (UInt64.to_int ix) = result }
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 29 4 29 38] UInt64.to_int ix < Seq.length (let (a, _) = Model0.model self in a)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 30 4 30 41] Seq.get (let (a, _) = Model0.model self in a) (UInt64.to_int ix) = result }
     
-   =
-  var _0 : Type.creusat_clause_clause;
-  var self_1 : Type.creusat_formula_formula;
-  var ix_2 : usize;
-  var _3 : Type.creusat_clause_clause;
-  var _4 : Type.creusat_clause_clause;
-  var _5 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _6 : usize;
-  {
-    self_1 <- self;
-    ix_2 <- ix;
-    goto BB0
-  }
-  BB0 {
-    _5 <- Type.creusat_formula_formula_Formula_clauses self_1;
-    _6 <- ix_2;
-    _4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 37 9 37 25] Index0.index _5 _6);
-    goto BB1
-  }
-  BB1 {
-    _3 <- _4;
-    _0 <- _3;
-    return _0
-  }
-  
 end
 module CreusotContracts_Logic_Resolve_Resolve_Resolve_Interface
   type self
@@ -6044,7 +2802,7 @@ module CreusotContracts_Std1_Vec_Impl1_Resolve
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = t, type a = Type.alloc_alloc_global,
   axiom .
   predicate resolve (self : Type.alloc_vec_vec t (Type.alloc_alloc_global)) =
-    forall i : (int) . 0 <= i && i < Seq.length (Model0.model self) -> Resolve0.resolve (Seq.get (Model0.model self) i)
+    forall i : (int) . 0 <= i /\ i < Seq.length (Model0.model self) -> Resolve0.resolve (Seq.get (Model0.model self) i)
 end
 module CreuSat_Logic_LogicUtil_SortedRangeTupleZeroth_Interface
   use seq.Seq
@@ -6058,10 +2816,10 @@ module CreuSat_Logic_LogicUtil_SortedRangeTupleZeroth
   use mach.int.Int
   use prelude.Prelude
   use mach.int.UInt64
-  predicate sorted_range_tuple_zeroth [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 34 0 34 80] (s : Seq.seq (usize, usize)) (l : int) (u : int)
+  predicate sorted_range_tuple_zeroth [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 34 0 34 80] (s : Seq.seq (usize, usize)) (l : int) (u : int)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 35 4 37 5] forall j : (int) . forall i : (int) . l <= i && i < j && j < u -> (let (a, _) = Seq.get s i in a) <= (let (a, _) = Seq.get s j in a)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 35 4 37 5] forall j : (int) . forall i : (int) . l <= i /\ i < j /\ j < u -> (let (a, _) = Seq.get s i in a) <= (let (a, _) = Seq.get s j in a)
 end
 module CreuSat_Logic_LogicUtil_SortedTupleZeroth_Interface
   use seq.Seq
@@ -6077,10 +2835,10 @@ module CreuSat_Logic_LogicUtil_SortedTupleZeroth
   use mach.int.UInt64
   use mach.int.Int32
   clone CreuSat_Logic_LogicUtil_SortedRangeTupleZeroth_Interface as SortedRangeTupleZeroth0
-  predicate sorted_tuple_zeroth [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 41 0 41 58] (s : Seq.seq (usize, usize))
+  predicate sorted_tuple_zeroth [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 41 0 41 58] (s : Seq.seq (usize, usize))
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 42 4 44 5] SortedRangeTupleZeroth0.sorted_range_tuple_zeroth s 0 (Seq.length s)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 42 4 44 5] SortedRangeTupleZeroth0.sorted_range_tuple_zeroth s 0 (Seq.length s)
 end
 module CreusotContracts_Logic_Seq_Impl2_PermutationOf_Interface
   type t
@@ -6109,18228 +2867,5350 @@ module CreuSat_Logic_LogicUtil_Partition
   use prelude.Prelude
   use mach.int.UInt64
   use mach.int.Int32
-  predicate partition [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 48 0 48 56] (v : Seq.seq (usize, usize)) (i : int)
+  predicate partition [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 48 0 48 56] (v : Seq.seq (usize, usize)) (i : int)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 49 4 49 109] forall k2 : (int) . forall k1 : (int) . 0 <= k1 && k1 < i && i <= k2 && k2 < Seq.length v -> (let (a, _) = Seq.get v k1 in a) <= (let (a, _) = Seq.get v k2 in a)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 49 4 49 109] forall k2 : (int) . forall k1 : (int) . 0 <= k1 /\ k1 < i /\ i <= k2 /\ k2 < Seq.length v -> (let (a, _) = Seq.get v k1 in a) <= (let (a, _) = Seq.get v k2 in a)
 end
 module CreuSat_Util_Sort_Interface
   use prelude.Prelude
   use Type
   use mach.int.Int
   use mach.int.UInt64
-  clone CreusotContracts_Logic_Seq_Impl2_PermutationOf_Interface as PermutationOf0 with type t = (usize, usize)
   clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy0 with type t = (usize, usize),
   type a = Type.alloc_alloc_global
+  clone CreusotContracts_Logic_Seq_Impl2_PermutationOf_Interface as PermutationOf0 with type t = (usize, usize)
   clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model1 with type t = Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global),
   type ModelTy0.modelTy = ModelTy0.modelTy
   clone CreuSat_Logic_LogicUtil_SortedTupleZeroth_Interface as SortedTupleZeroth0
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = (usize, usize),
   type a = Type.alloc_alloc_global, axiom .
   val sort [@cfg:stackify] (v : borrowed (Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global))) : ()
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 60 0 60 36] SortedTupleZeroth0.sorted_tuple_zeroth (Model0.model ( ^ v)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 61 0 61 36] PermutationOf0.permutation_of (Model0.model ( ^ v)) (Model1.model v) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/util.rs" 60 0 60 36] SortedTupleZeroth0.sorted_tuple_zeroth (Model0.model ( ^ v)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/util.rs" 61 0 61 36] PermutationOf0.permutation_of (Model0.model ( ^ v)) (Model1.model v) }
     
 end
-module CreuSat_Util_Sort
+module CreuSat_Decision_Impl1_Rescore_Interface
+  use mach.int.UInt64
+  use seq.Seq
+  use mach.int.Int
   use prelude.Prelude
+  use mach.int.Int32
   use Type
-  use mach.int.Int
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_decision_node,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant0
+  val rescore [@cfg:stackify] (self : borrowed (Type.creusat_decision_decisions)) (_f : Type.creusat_formula_formula) : ()
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 130 4 130 52] Invariant0.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 131 4 131 56] Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( * self))) < 18446744073709551615}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 130 4 130 52] Invariant0.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 132 4 132 67] UInt64.to_int (Type.creusat_decision_decisions_Decisions_timestamp ( ^ self)) = Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( * self))) + 1 }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 133 4 133 73] Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( ^ self))) = Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( * self))) }
+    
+end
+module CreuSat_Decision_Impl1_MoveToFront_Interface
   use mach.int.UInt64
+  use mach.int.Int
+  use prelude.Prelude
   use seq.Seq
-  use mach.int.Int32
-  clone CreuSat_Logic_LogicUtil_Partition as Partition0
-  clone CreusotContracts_Logic_Seq_Impl2_PermutationOf as PermutationOf0 with type t = (usize, usize)
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy0 with type t = (usize, usize),
-  type a = Type.alloc_alloc_global
-  clone CreuSat_Logic_LogicUtil_SortedRangeTupleZeroth as SortedRangeTupleZeroth0
-  clone CreuSat_Logic_LogicUtil_SortedTupleZeroth as SortedTupleZeroth0 with predicate SortedRangeTupleZeroth0.sorted_range_tuple_zeroth = SortedRangeTupleZeroth0.sorted_range_tuple_zeroth
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = (usize, usize), type a = Type.alloc_alloc_global,
-  axiom .
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model1 with type t = Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model0.model
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global)
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = seq (usize, usize)
-  clone CreusotContracts_Std1_Slice_Impl0_Model as Model2 with type t = (usize, usize), axiom .
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = (usize, usize)
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model3 with type t = seq (usize, usize),
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model2.model
-  clone Core_Slice_Impl0_Swap_Interface as Swap0 with type t = (usize, usize), function Model0.model = Model3.model,
-  function Model1.model = Model2.model
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = (usize, usize)
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = (usize, usize)
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = (usize, usize)
-  clone Alloc_Vec_Impl11_DerefMut_Interface as DerefMut0 with type t = (usize, usize), type a = Type.alloc_alloc_global,
-  function Model0.model = Model2.model, function Model1.model = Model0.model
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = (usize, usize), type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model0.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = (usize, usize), type a = Type.alloc_alloc_global,
-  function Model0.model = Model0.model
-  let rec cfg sort [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 62 0 62 40] (v : borrowed (Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global))) : ()
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 60 0 60 36] SortedTupleZeroth0.sorted_tuple_zeroth (Model0.model ( ^ v)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 61 0 61 36] PermutationOf0.permutation_of (Model0.model ( ^ v)) (Model1.model v) }
+  use Type
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_decision_node,
+  type a = Type.alloc_alloc_global, axiom .
+  val move_to_front [@cfg:stackify] (self : borrowed (Type.creusat_decision_decisions)) (tomove : usize) (_f : Type.creusat_formula_formula) : ()
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 160 4 160 43] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f) < 18446744073709551615}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 161 4 161 52] UInt64.to_int tomove < Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( * self)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 162 4 162 52] Invariant0.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 162 4 162 52] Invariant0.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
     
-   =
-  var _0 : ();
-  var v_1 : borrowed (Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global));
-  var i_2 : usize;
-  ghost var old_v_3 : borrowed (Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global));
-  var _4 : ();
-  var _5 : ();
-  var _6 : bool;
-  var _7 : usize;
-  var _8 : usize;
-  var _9 : Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global);
-  var max_10 : usize;
-  var j_11 : usize;
-  var _12 : usize;
-  var _13 : ();
-  var _14 : bool;
-  var _15 : usize;
-  var _16 : usize;
-  var _17 : Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global);
-  var _18 : ();
-  var _19 : bool;
-  var _20 : usize;
-  var _21 : (usize, usize);
-  var _22 : Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global);
-  var _23 : usize;
-  var _24 : usize;
-  var _25 : (usize, usize);
-  var _26 : Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global);
-  var _27 : usize;
-  var _28 : usize;
-  var _29 : ();
-  var _30 : ();
-  var _31 : ();
-  var _32 : ();
-  var _33 : borrowed (seq (usize, usize));
-  var _34 : borrowed (seq (usize, usize));
-  var _35 : borrowed (Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global));
-  var _36 : usize;
-  var _37 : usize;
-  var _38 : ();
-  var _39 : ();
-  var _40 : ();
-  {
-    v_1 <- v;
-    goto BB0
-  }
-  BB0 {
-    i_2 <- (0 : usize);
-    _4 <- ();
-    old_v_3 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 64 16 64 28] v_1);
-    goto BB1
-  }
-  BB1 {
-    goto BB2
-  }
-  BB2 {
-    invariant proph_const { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 65 4 65 51]  ^ v_1 =  ^ old_v_3 };
-    invariant permutation { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 66 4 66 67] PermutationOf0.permutation_of (Model1.model v_1) (Model0.model ( * old_v_3)) };
-    invariant i_bound { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 67 4 67 43] UInt64.to_int i_2 <= Seq.length (Model1.model v_1) };
-    invariant sorted { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 68 4 68 62] SortedRangeTupleZeroth0.sorted_range_tuple_zeroth (Model1.model v_1) 0 (UInt64.to_int i_2) };
-    invariant partition { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 69 4 69 46] Partition0.partition (Model1.model v_1) (UInt64.to_int i_2) };
-    _7 <- i_2;
-    _9 <-  * v_1;
-    _8 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 70 14 70 21] Len0.len _9);
-    goto BB3
-  }
-  BB3 {
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 70 10 70 21] _7 < _8);
-    switch (_6)
-      | False -> goto BB16
-      | _ -> goto BB4
-      end
-  }
-  BB4 {
-    max_10 <- i_2;
-    _12 <- i_2;
-    j_11 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 72 20 72 25] _12 + (1 : usize));
-    goto BB5
-  }
-  BB5 {
-    invariant max_is_max { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 73 8 73 96] forall k : (int) . UInt64.to_int i_2 <= k && k < UInt64.to_int j_11 -> (let (a, _) = Seq.get (Model1.model v_1) (UInt64.to_int max_10) in a) <= (let (a, _) = Seq.get (Model1.model v_1) k in a) };
-    invariant j_bound { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 74 8 74 59] UInt64.to_int i_2 <= UInt64.to_int j_11 && UInt64.to_int j_11 <= Seq.length (Model1.model v_1) };
-    invariant max_bound { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 75 8 75 56] UInt64.to_int i_2 <= UInt64.to_int max_10 && UInt64.to_int max_10 < UInt64.to_int j_11 };
-    _15 <- j_11;
-    _17 <-  * v_1;
-    _16 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 76 18 76 25] Len0.len _17);
-    goto BB6
-  }
-  BB6 {
-    _14 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 76 14 76 25] _15 < _16);
-    switch (_14)
-      | False -> goto BB13
-      | _ -> goto BB7
-      end
-  }
-  BB7 {
-    _22 <-  * v_1;
-    _23 <- j_11;
-    _21 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 77 15 77 19] Index0.index _22 _23);
-    goto BB8
-  }
-  BB8 {
-    _20 <- (let (a, _) = _21 in a);
-    _26 <-  * v_1;
-    _27 <- max_10;
-    _25 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 77 24 77 30] Index0.index _26 _27);
-    goto BB9
-  }
-  BB9 {
-    _24 <- (let (a, _) = _25 in a);
-    _19 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 77 15 77 32] _20 < _24);
-    switch (_19)
-      | False -> goto BB11
-      | _ -> goto BB10
-      end
-  }
-  BB10 {
-    _28 <- j_11;
-    max_10 <- _28;
-    _18 <- ();
-    goto BB12
-  }
-  BB11 {
-    _18 <- ();
-    goto BB12
-  }
-  BB12 {
-    j_11 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 80 12 80 18] j_11 + (1 : usize));
-    _5 <- ();
-    goto BB5
-  }
-  BB13 {
-    _13 <- ();
-    _35 <- borrow_mut ( * v_1);
-    v_1 <- { v_1 with current = ( ^ _35) };
-    _34 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 82 8 82 22] DerefMut0.deref_mut _35);
-    goto BB14
-  }
-  BB14 {
-    _33 <- borrow_mut ( * _34);
-    _34 <- { _34 with current = ( ^ _33) };
-    _36 <- i_2;
-    _37 <- max_10;
-    _32 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 82 8 82 22] Swap0.swap _33 _36 _37);
-    goto BB15
-  }
-  BB15 {
-    assume { Resolve0.resolve _34 };
-    i_2 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 83 8 83 14] i_2 + (1 : usize));
-    _5 <- ();
-    goto BB2
-  }
-  BB16 {
-    assume { Resolve1.resolve v_1 };
-    _0 <- ();
-    return _0
-  }
-  
 end
-module CreuSat_Decision_Impl1_Rescore_Interface
+module CreusotContracts_Std1_Vec_Impl1
+  type t
+end
+module CreusotContracts_Logic_Resolve_Impl0_Resolve_Interface
+  type t1
+  type t2
+  predicate resolve (self : (t1, t2))
+end
+module CreusotContracts_Logic_Resolve_Impl0_Resolve
+  type t1
+  type t2
+  clone CreusotContracts_Logic_Resolve_Resolve_Resolve_Interface as Resolve1 with type self = t2
+  clone CreusotContracts_Logic_Resolve_Resolve_Resolve_Interface as Resolve0 with type self = t1
+  predicate resolve (self : (t1, t2)) =
+    Resolve0.resolve (let (a, _) = self in a) /\ Resolve1.resolve (let (_, a) = self in a)
+end
+module CreusotContracts_Logic_Resolve_Impl0
+  type t1
+  type t2
+end
+module CreusotContracts_Logic_Resolve_Impl2_Resolve_Interface
+  type t
+  predicate resolve (self : t)
+end
+module CreusotContracts_Logic_Resolve_Impl2_Resolve
+  type t
+  predicate resolve (self : t) =
+    true
+end
+module CreusotContracts_Logic_Resolve_Impl2
+  type t
+end
+module CreuSat_Decision_Impl1_IncrementAndMove_Interface
   use mach.int.UInt64
-  use seq.Seq
   use mach.int.Int
   use prelude.Prelude
-  use mach.int.Int32
   use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_decision_node,
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  clone CreuSat_Logic_LogicUtil_ElemsLessThan_Interface as ElemsLessThan0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = usize, type a = Type.alloc_alloc_global,
+  axiom .
+  val increment_and_move [@cfg:stackify] (self : borrowed (Type.creusat_decision_decisions)) (f : Type.creusat_formula_formula) (v : Type.alloc_vec_vec usize (Type.alloc_alloc_global)) : ()
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 199 4 199 49] ElemsLessThan0.elems_less_than (Model0.model v) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 200 4 200 42] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < 18446744073709551615}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 201 4 201 30] Invariant0.invariant' f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 202 4 202 51] Invariant1.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 202 4 202 51] Invariant1.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
+    
+end
+module CreuSat_Formula_Impl0_Output
+  use Type
+  type output  =
+    Type.creusat_clause_clause
+end
+module CreuSat_Formula_Impl0
+  use Type
+  use mach.int.Int
+  use prelude.Prelude
+  use mach.int.UInt64
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant0
-  val rescore [@cfg:stackify] (self : borrowed (Type.creusat_decision_decisions)) (_f : Type.creusat_formula_formula) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 130 4 130 52] Invariant0.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 131 4 131 56] Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( * self))) < 18446744073709551615}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 130 4 130 52] Invariant0.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 132 4 132 67] UInt64.to_int (Type.creusat_decision_decisions_Decisions_timestamp ( ^ self)) = Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( * self))) + 1 }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 133 4 133 73] Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( ^ self))) = Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( * self))) }
+  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model1 with function Model0.model = Model2.model
+  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
+  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_formula_formula,
+  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
+  clone CreuSat_Formula_Impl0_Output as Output0
+  clone CreuSat_Formula_Impl0_Index_Interface as Index0 with function Model0.model = Model0.model
+  clone Core_Ops_Index_Index_Index_Interface as Index1 with type self = Type.creusat_formula_formula, type idx = usize,
+  val index = Index0.index, type Output0.output = Output0.output
+  clone Core_Ops_Index_Index_Output as Output1 with type self = Type.creusat_formula_formula, type idx = usize,
+  type output = Output0.output
+end
+module CreusotContracts_Std1_Clone_Clone_Clone_Interface
+  type self
+  use prelude.Prelude
+  val clone' [@cfg:stackify] (self : self) : self
+    ensures { result = self }
     
 end
-module CreuSat_Decision_Impl1_Rescore
+module CreuSat_Clause_Impl2
+  use Type
+  clone CreuSat_Clause_Impl2_Clone_Interface as Clone0
+  clone CreusotContracts_Std1_Clone_Clone_Clone_Interface as Clone1 with type self = Type.creusat_clause_clause,
+  val clone' = Clone0.clone'
+end
+module CreuSat_ConflictAnalysis_AnalyzeConflict_Interface
   use mach.int.UInt64
-  use seq.Seq
   use mach.int.Int
   use prelude.Prelude
-  use mach.int.Int32
+  use seq.Seq
   use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_decision_node,
+  use mach.int.Int32
+  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicClause_EquisatExtensionInner_Interface as EquisatExtensionInner0
+  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model2 with type t = Type.creusat_formula_formula,
+  type ModelTy0.modelTy = ModelTy0.modelTy
+  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner_Interface as NoDuplicateIndexesInner0
+  clone CreuSat_Logic_LogicClause_VarsInRangeInner_Interface as VarsInRangeInner0
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
+  clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant3
+  clone CreuSat_Logic_LogicFormula_Impl2_NotSatisfiable_Interface as NotSatisfiable0
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicClause_Impl2_Unsat_Interface as Unsat0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant0 with function Model0.model = Model0.model
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_decision_decisions
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = Type.creusat_decision_node
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.creusat_decision_node
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = Type.creusat_decision_node, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model0.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = Type.creusat_decision_node, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model0.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_decision_node,
-  type a = Type.alloc_alloc_global, function Model0.model = Model0.model
-  let rec cfg rescore [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 134 4 134 39] (self : borrowed (Type.creusat_decision_decisions)) (_f : Type.creusat_formula_formula) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 130 4 130 52] Invariant0.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 131 4 131 56] Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( * self))) < 18446744073709551615}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 130 4 130 52] Invariant0.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 132 4 132 67] UInt64.to_int (Type.creusat_decision_decisions_Decisions_timestamp ( ^ self)) = Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( * self))) + 1 }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 133 4 133 73] Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( ^ self))) = Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( * self))) }
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val analyze_conflict [@cfg:stackify] (f : Type.creusat_formula_formula) (trail : Type.creusat_trail_trail) (cref : usize) (d : borrowed (Type.creusat_decision_decisions)) : Type.creusat_conflictanalysis_conflict
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 161 0 161 26] Invariant0.invariant' f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 162 0 162 38] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < 18446744073709551615}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 163 0 163 32] Invariant1.invariant' trail f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 164 0 164 39] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 165 0 165 57] Unsat0.unsat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref)) (Type.creusat_trail_trail_Trail_assignments trail)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 191 0 191 44] Invariant2.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 166 0 190 3] match (result) with
+      | Type.CreuSat_ConflictAnalysis_Conflict_Ground -> NotSatisfiable0.not_satisfiable f
+      | Type.CreuSat_ConflictAnalysis_Conflict_Unit clause -> Invariant3.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) /\ Seq.length (Model1.model clause) = 1 /\ VarsInRangeInner0.vars_in_range_inner (Model1.model clause) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) /\ NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model1.model clause) /\ EquisatExtensionInner0.equisat_extension_inner clause (Model2.model f)
+      | Type.CreuSat_ConflictAnalysis_Conflict_Learned s_idx clause -> Invariant3.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) /\ Seq.length (Model1.model clause) > 1 /\ VarsInRangeInner0.vars_in_range_inner (Model1.model clause) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) /\ NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model1.model clause) /\ EquisatExtensionInner0.equisat_extension_inner clause (Model2.model f) /\ UInt64.to_int s_idx < Seq.length (Model1.model clause)
+      | Type.CreuSat_ConflictAnalysis_Conflict_Restart clause -> Invariant3.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) /\ Seq.length (Model1.model clause) > 1 /\ VarsInRangeInner0.vars_in_range_inner (Model1.model clause) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) /\ NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model1.model clause) /\ EquisatExtensionInner0.equisat_extension_inner clause (Model2.model f)
+      end }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 191 0 191 44] Invariant2.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
     
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_decision_decisions);
-  var _f_2 : Type.creusat_formula_formula;
-  var iNVALID'_3 : usize;
-  ghost var old_self_4 : borrowed (Type.creusat_decision_decisions);
-  var _5 : ();
-  var curr_score_6 : usize;
-  var _7 : Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global);
-  var i_8 : usize;
-  var curr_9 : usize;
-  var _10 : ();
-  var _11 : ();
-  var _12 : bool;
-  var _13 : usize;
-  var _14 : usize;
-  var _15 : usize;
-  var _16 : borrowed (Type.creusat_decision_node);
-  var _17 : borrowed (Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global));
-  var _18 : usize;
-  var _19 : ();
-  var _20 : bool;
-  var _21 : usize;
-  var _22 : ();
-  var _23 : usize;
-  var _24 : Type.creusat_decision_node;
-  var _25 : Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global);
-  var _26 : usize;
-  var _27 : ();
-  var _28 : ();
-  var _29 : ();
-  var _30 : usize;
-  var _31 : Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global);
-  {
-    self_1 <- self;
-    _f_2 <- _f;
-    goto BB0
-  }
-  BB0 {
-    iNVALID'_3 <- (18446744073709551615 : usize);
-    _5 <- ();
-    old_self_4 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 136 23 136 38] self_1);
-    goto BB1
-  }
-  BB1 {
-    _7 <- Type.creusat_decision_decisions_Decisions_linked_list ( * self_1);
-    curr_score_6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 137 29 137 51] Len0.len _7);
-    goto BB2
-  }
-  BB2 {
-    i_8 <- (0 : usize);
-    curr_9 <- Type.creusat_decision_decisions_Decisions_start ( * self_1);
-    goto BB3
-  }
-  BB3 {
-    invariant curr_ok { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 140 8 140 86] curr_9 = (18446744073709551615 : usize) || UInt64.to_int curr_9 < Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( * self_1))) };
-    invariant proph { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 141 8 141 55]  ^ old_self_4 =  ^ self_1 };
-    invariant unch { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 142 8 145 10] forall j : (int) . 0 <= j && j < Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( * self_1))) -> Type.creusat_decision_node_Node_next (Seq.get (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( * self_1))) j) = Type.creusat_decision_node_Node_next (Seq.get (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( * old_self_4))) j) && Type.creusat_decision_node_Node_prev (Seq.get (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( * self_1))) j) = Type.creusat_decision_node_Node_prev (Seq.get (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( * old_self_4))) j) };
-    invariant inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 146 8 146 55] Invariant0.invariant' ( * self_1) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f_2)) };
-    _13 <- curr_9;
-    _14 <- iNVALID'_3;
-    _12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 147 14 147 29] _13 <> _14);
-    switch (_12)
-      | False -> goto BB9
-      | _ -> goto BB4
-      end
-  }
-  BB4 {
-    _15 <- curr_score_6;
-    _17 <- borrow_mut (Type.creusat_decision_decisions_Decisions_linked_list ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Decision_Decisions a b c d =  * self_1 in Type.CreuSat_Decision_Decisions ( ^ _17) b c d) };
-    _18 <- curr_9;
-    _16 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 148 12 148 34] IndexMut0.index_mut _17 _18);
-    goto BB5
-  }
-  BB5 {
-    _16 <- { _16 with current = (let Type.CreuSat_Decision_Node a b c =  * _16 in Type.CreuSat_Decision_Node a b _15) };
-    assume { Resolve0.resolve _16 };
-    _21 <- curr_score_6;
-    _20 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 149 15 149 29] _21 > (0 : usize));
-    switch (_20)
-      | False -> goto BB7
-      | _ -> goto BB6
-      end
-  }
-  BB6 {
-    curr_score_6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 150 16 150 31] curr_score_6 - (1 : usize));
-    _19 <- ();
-    _25 <- Type.creusat_decision_decisions_Decisions_linked_list ( * self_1);
-    _26 <- curr_9;
-    _24 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 154 19 154 41] Index0.index _25 _26);
-    goto BB8
-  }
-  BB7 {
-    _10 <- ();
-    goto BB10
-  }
-  BB8 {
-    _23 <- Type.creusat_decision_node_Node_next _24;
-    curr_9 <- _23;
-    _11 <- ();
-    goto BB3
-  }
-  BB9 {
-    _10 <- ();
-    goto BB10
-  }
-  BB10 {
-    _31 <- Type.creusat_decision_decisions_Decisions_linked_list ( * self_1);
-    _30 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 156 25 156 47] Len0.len _31);
-    goto BB11
-  }
-  BB11 {
-    self_1 <- { self_1 with current = (let Type.CreuSat_Decision_Decisions a b c d =  * self_1 in Type.CreuSat_Decision_Decisions a ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 156 8 156 51] _30 + (1 : usize)) c d) };
-    assume { Resolve1.resolve self_1 };
-    _0 <- ();
-    return _0
-  }
-  
 end
-module CreuSat_Decision_Impl1_MoveToFront_Interface
+module CreuSat_ConflictAnalysis_ResolveEmptyClause_Interface
   use mach.int.UInt64
+  use seq.Seq
   use mach.int.Int
   use prelude.Prelude
-  use seq.Seq
   use Type
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_decision_node,
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_NotSatisfiable_Interface as NotSatisfiable0
+  clone CreuSat_Logic_LogicClause_Impl2_Unsat_Interface as Unsat0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  val move_to_front [@cfg:stackify] (self : borrowed (Type.creusat_decision_decisions)) (tomove : usize) (_f : Type.creusat_formula_formula) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 160 4 160 43] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f) < 18446744073709551615}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 161 4 161 52] UInt64.to_int tomove < Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( * self)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 162 4 162 52] Invariant0.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 162 4 162 52] Invariant0.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val resolve_empty_clause [@cfg:stackify] (f : Type.creusat_formula_formula) (trail : Type.creusat_trail_trail) (cref : usize) : bool
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 266 0 266 26] Invariant0.invariant' f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 267 0 267 32] Invariant1.invariant' trail f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 268 0 268 39] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 269 0 269 57] Unsat0.unsat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref)) (Type.creusat_trail_trail_Trail_assignments trail)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/conflict_analysis.rs" 270 0 270 42] result -> NotSatisfiable0.not_satisfiable f }
     
 end
-module CreuSat_Decision_Impl1_MoveToFront
+module CreuSat_Decision_Impl2_Clone_Interface
+  use prelude.Prelude
+  use Type
+  val clone' [@cfg:stackify] (self : Type.creusat_decision_node) : Type.creusat_decision_node
+end
+module CreuSat_Decision_Impl0_Default_Interface
   use mach.int.UInt64
   use mach.int.Int
   use prelude.Prelude
-  use seq.Seq
+  use mach.int.Int32
   use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_decision_node,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant0 with function Model0.model = Model0.model
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = Type.creusat_decision_node
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_decision_decisions
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = Type.creusat_decision_node, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model0.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  clone CreuSat_Decision_Impl1_Rescore_Interface as Rescore0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  function Model0.model = Model0.model
-  let rec cfg move_to_front [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 163 4 163 60] (self : borrowed (Type.creusat_decision_decisions)) (tomove : usize) (_f : Type.creusat_formula_formula) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 160 4 160 43] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f) < 18446744073709551615}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 161 4 161 52] UInt64.to_int tomove < Seq.length (Model0.model (Type.creusat_decision_decisions_Decisions_linked_list ( * self)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 162 4 162 52] Invariant0.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 162 4 162 52] Invariant0.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
+  val default [@cfg:stackify] (_ : ()) : Type.creusat_decision_node
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 21 4 21 43] UInt64.to_int (Type.creusat_decision_node_Node_next result) = 18446744073709551615 }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 22 4 22 43] UInt64.to_int (Type.creusat_decision_node_Node_prev result) = 18446744073709551615 }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 23 4 23 33] UInt64.to_int (Type.creusat_decision_node_Node_ts result) = 0 }
     
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_decision_decisions);
-  var tomove_2 : usize;
-  var _f_3 : Type.creusat_formula_formula;
-  var iNVALID'_4 : usize;
-  var _5 : ();
-  var _6 : bool;
-  var _7 : usize;
-  var _8 : usize;
-  var _9 : ();
-  var moving_10 : borrowed (Type.creusat_decision_node);
-  var _11 : borrowed (Type.creusat_decision_node);
-  var _12 : borrowed (Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global));
-  var _13 : usize;
-  var prev_14 : usize;
-  var old_next_15 : usize;
-  var _16 : usize;
-  var _17 : usize;
-  var _18 : usize;
-  var _19 : ();
-  var _20 : bool;
-  var _21 : usize;
-  var _22 : ();
-  var _23 : borrowed (Type.creusat_decision_decisions);
-  var _24 : Type.creusat_formula_formula;
-  var _25 : ();
-  var _26 : usize;
-  var _27 : borrowed (Type.creusat_decision_node);
-  var _28 : borrowed (Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global));
-  var _29 : usize;
-  var _30 : usize;
-  var _31 : ();
-  var _32 : bool;
-  var _33 : usize;
-  var _34 : usize;
-  var _35 : usize;
-  var _36 : borrowed (Type.creusat_decision_node);
-  var _37 : borrowed (Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global));
-  var _38 : usize;
-  var _39 : bool;
-  var _40 : usize;
-  var _41 : usize;
-  var _42 : usize;
-  var _43 : borrowed (Type.creusat_decision_node);
-  var _44 : borrowed (Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global));
-  var _45 : usize;
-  {
-    self_1 <- self;
-    tomove_2 <- tomove;
-    _f_3 <- _f;
-    goto BB0
-  }
-  BB0 {
-    iNVALID'_4 <- (18446744073709551615 : usize);
-    _7 <- tomove_2;
-    _8 <- Type.creusat_decision_decisions_Decisions_start ( * self_1);
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 165 11 165 31] _7 = _8);
-    switch (_6)
-      | False -> goto BB2
-      | _ -> goto BB1
-      end
-  }
-  BB1 {
-    assume { Resolve0.resolve self_1 };
-    _0 <- ();
-    goto BB17
-  }
-  BB2 {
-    _5 <- ();
-    _12 <- borrow_mut (Type.creusat_decision_decisions_Decisions_linked_list ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Decision_Decisions a b c d =  * self_1 in Type.CreuSat_Decision_Decisions ( ^ _12) b c d) };
-    _13 <- tomove_2;
-    _11 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 168 30 168 54] IndexMut0.index_mut _12 _13);
-    goto BB3
-  }
-  BB3 {
-    moving_10 <- borrow_mut ( * _11);
-    _11 <- { _11 with current = ( ^ moving_10) };
-    assume { Resolve1.resolve _11 };
-    prev_14 <- Type.creusat_decision_node_Node_prev ( * moving_10);
-    old_next_15 <- Type.creusat_decision_node_Node_next ( * moving_10);
-    _16 <- iNVALID'_4;
-    moving_10 <- { moving_10 with current = (let Type.CreuSat_Decision_Node a b c =  * moving_10 in Type.CreuSat_Decision_Node a _16 c) };
-    _17 <- Type.creusat_decision_decisions_Decisions_start ( * self_1);
-    moving_10 <- { moving_10 with current = (let Type.CreuSat_Decision_Node a b c =  * moving_10 in Type.CreuSat_Decision_Node _17 b c) };
-    _18 <- Type.creusat_decision_decisions_Decisions_timestamp ( * self_1);
-    moving_10 <- { moving_10 with current = (let Type.CreuSat_Decision_Node a b c =  * moving_10 in Type.CreuSat_Decision_Node a b _18) };
-    assume { Resolve1.resolve moving_10 };
-    _21 <- Type.creusat_decision_decisions_Decisions_timestamp ( * self_1);
-    _20 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 174 11 174 39] _21 = (18446744073709551615 : usize));
-    switch (_20)
-      | False -> goto BB6
-      | _ -> goto BB4
-      end
-  }
-  BB4 {
-    _23 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _23) };
-    _24 <- _f_3;
-    _22 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 175 12 175 28] Rescore0.rescore _23 _24);
-    goto BB5
-  }
-  BB5 {
-    _19 <- ();
-    goto BB7
-  }
-  BB6 {
-    self_1 <- { self_1 with current = (let Type.CreuSat_Decision_Decisions a b c d =  * self_1 in Type.CreuSat_Decision_Decisions a ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 177 12 177 31] Type.creusat_decision_decisions_Decisions_timestamp ( * self_1) + (1 : usize)) c d) };
-    _19 <- ();
-    goto BB7
-  }
-  BB7 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 179 8 179 51] UInt64.to_int (Type.creusat_decision_decisions_Decisions_start ( * self_1)) < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f_3) };
-    _25 <- ();
-    _26 <- tomove_2;
-    _28 <- borrow_mut (Type.creusat_decision_decisions_Decisions_linked_list ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Decision_Decisions a b c d =  * self_1 in Type.CreuSat_Decision_Decisions ( ^ _28) b c d) };
-    _29 <- Type.creusat_decision_decisions_Decisions_start ( * self_1);
-    _27 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 180 8 180 36] IndexMut0.index_mut _28 _29);
-    goto BB8
-  }
-  BB8 {
-    _27 <- { _27 with current = (let Type.CreuSat_Decision_Node a b c =  * _27 in Type.CreuSat_Decision_Node a _26 c) };
-    assume { Resolve1.resolve _27 };
-    _30 <- tomove_2;
-    self_1 <- { self_1 with current = (let Type.CreuSat_Decision_Decisions a b c d =  * self_1 in Type.CreuSat_Decision_Decisions a b _30 d) };
-    _33 <- prev_14;
-    _34 <- iNVALID'_4;
-    _32 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 182 11 182 26] _33 <> _34);
-    switch (_32)
-      | False -> goto BB11
-      | _ -> goto BB9
-      end
-  }
-  BB9 {
-    _35 <- old_next_15;
-    _37 <- borrow_mut (Type.creusat_decision_decisions_Decisions_linked_list ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Decision_Decisions a b c d =  * self_1 in Type.CreuSat_Decision_Decisions ( ^ _37) b c d) };
-    _38 <- prev_14;
-    _36 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 184 12 184 34] IndexMut0.index_mut _37 _38);
-    goto BB10
-  }
-  BB10 {
-    _36 <- { _36 with current = (let Type.CreuSat_Decision_Node a b c =  * _36 in Type.CreuSat_Decision_Node _35 b c) };
-    assume { Resolve1.resolve _36 };
-    _31 <- ();
-    goto BB12
-  }
-  BB11 {
-    _31 <- ();
-    goto BB12
-  }
-  BB12 {
-    _40 <- old_next_15;
-    _41 <- iNVALID'_4;
-    _39 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 186 11 186 30] _40 <> _41);
-    switch (_39)
-      | False -> goto BB15
-      | _ -> goto BB13
-      end
-  }
-  BB13 {
-    _42 <- prev_14;
-    _44 <- borrow_mut (Type.creusat_decision_decisions_Decisions_linked_list ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Decision_Decisions a b c d =  * self_1 in Type.CreuSat_Decision_Decisions ( ^ _44) b c d) };
-    assume { Resolve0.resolve self_1 };
-    _45 <- old_next_15;
-    _43 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 187 12 187 38] IndexMut0.index_mut _44 _45);
-    goto BB14
-  }
-  BB14 {
-    _43 <- { _43 with current = (let Type.CreuSat_Decision_Node a b c =  * _43 in Type.CreuSat_Decision_Node a _42 c) };
-    assume { Resolve1.resolve _43 };
-    _0 <- ();
-    goto BB16
-  }
-  BB15 {
-    assume { Resolve0.resolve self_1 };
-    _0 <- ();
-    goto BB16
-  }
-  BB16 {
-    goto BB17
-  }
-  BB17 {
-    return _0
-  }
-  
 end
-module CreusotContracts_Std1_Vec_Impl1
-  type t
+module Core_Default_Default_Default_Interface
+  type self
+  val default [@cfg:stackify] (_ : ()) : self
+    requires {false}
+    
 end
-module CreusotContracts_Logic_Resolve_Impl0_Resolve_Interface
-  type t1
-  type t2
-  predicate resolve (self : (t1, t2))
+module CreuSat_Decision_Impl0
+  use Type
+  clone CreuSat_Decision_Impl0_Default_Interface as Default0
+  clone Core_Default_Default_Default_Interface as Default1 with type self = Type.creusat_decision_node,
+  val default = Default0.default
 end
-module CreusotContracts_Logic_Resolve_Impl0_Resolve
-  type t1
-  type t2
-  clone CreusotContracts_Logic_Resolve_Resolve_Resolve_Interface as Resolve1 with type self = t2
-  clone CreusotContracts_Logic_Resolve_Resolve_Resolve_Interface as Resolve0 with type self = t1
-  predicate resolve (self : (t1, t2)) =
-    Resolve0.resolve (let (a, _) = self in a) && Resolve1.resolve (let (_, a) = self in a)
+module CreuSat_Decision_Impl1_MakeLinkedList_Interface
+  use mach.int.Int
+  use mach.int.Int32
+  use mach.int.UInt64
+  use prelude.Prelude
+  use seq.Seq
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant1
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = usize, type a = Type.alloc_alloc_global,
+  axiom .
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val make_linked_list [@cfg:stackify] (f : Type.creusat_formula_formula) (lit_order : Type.alloc_vec_vec usize (Type.alloc_alloc_global)) : Type.creusat_decision_decisions
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 39 4 39 30] Invariant0.invariant' f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 40 4 40 63] 0 < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) /\ UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 41 4 43 48] Seq.length (Model0.model lit_order) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) /\ (forall i : (int) . 0 <= i /\ i < Seq.length (Model0.model lit_order) -> UInt64.to_int (Seq.get (Model0.model lit_order) i) < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 44 4 44 45] Invariant1.invariant' result (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
+    
 end
-module CreusotContracts_Logic_Resolve_Impl0
-  type t1
-  type t2
+module CreuSat_Logic_LogicUtil_SortedRangeRev_Interface
+  use seq.Seq
+  use mach.int.Int
+  use prelude.Prelude
+  use mach.int.UInt64
+  predicate sorted_range_rev (s : Seq.seq (usize, usize)) (l : int) (u : int)
 end
-module CreusotContracts_Logic_Resolve_Impl2_Resolve_Interface
-  type t
-  predicate resolve (self : t)
+module CreuSat_Logic_LogicUtil_SortedRangeRev
+  use seq.Seq
+  use mach.int.Int
+  use prelude.Prelude
+  use mach.int.UInt64
+  predicate sorted_range_rev [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 6 0 6 71] (s : Seq.seq (usize, usize)) (l : int) (u : int)
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 7 4 9 5] forall j : (int) . forall i : (int) . l <= i /\ i < j /\ j < u -> (let (a, _) = Seq.get s i in a) >= (let (a, _) = Seq.get s j in a)
 end
-module CreusotContracts_Logic_Resolve_Impl2_Resolve
-  type t
-  predicate resolve (self : t) =
-    true
+module CreuSat_Logic_LogicUtil_SortedRev_Interface
+  use seq.Seq
+  use mach.int.Int
+  use prelude.Prelude
+  use mach.int.UInt64
+  predicate sorted_rev (s : Seq.seq (usize, usize))
 end
-module CreusotContracts_Logic_Resolve_Impl2
-  type t
+module CreuSat_Logic_LogicUtil_SortedRev
+  use seq.Seq
+  use mach.int.Int
+  use prelude.Prelude
+  use mach.int.UInt64
+  use mach.int.Int32
+  clone CreuSat_Logic_LogicUtil_SortedRangeRev_Interface as SortedRangeRev0
+  predicate sorted_rev [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 13 0 13 49] (s : Seq.seq (usize, usize))
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 14 4 16 5] SortedRangeRev0.sorted_range_rev s 0 (Seq.length s)
 end
-module CreuSat_Decision_Impl1_IncrementAndMove_Interface
+module CreuSat_Logic_LogicUtil_PartitionRev_Interface
+  use seq.Seq
+  use mach.int.Int
+  use prelude.Prelude
+  use mach.int.UInt64
+  predicate partition_rev (v : Seq.seq (usize, usize)) (i : int)
+end
+module CreuSat_Logic_LogicUtil_PartitionRev
+  use seq.Seq
+  use mach.int.Int
+  use prelude.Prelude
+  use mach.int.UInt64
+  use mach.int.Int32
+  predicate partition_rev [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 53 0 53 60] (v : Seq.seq (usize, usize)) (i : int)
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 54 4 54 110] forall k2 : (int) . forall k1 : (int) . 0 <= k1 /\ k1 < i /\ i <= k2 /\ k2 < Seq.length v -> (let (a, _) = Seq.get v k1 in a) >= (let (a, _) = Seq.get v k2 in a)
+end
+module CreuSat_Util_SortReverse_Interface
+  use prelude.Prelude
+  use Type
+  use mach.int.Int
   use mach.int.UInt64
+  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy0 with type t = (usize, usize),
+  type a = Type.alloc_alloc_global
+  clone CreusotContracts_Logic_Seq_Impl2_PermutationOf_Interface as PermutationOf0 with type t = (usize, usize)
+  clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model1 with type t = Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global),
+  type ModelTy0.modelTy = ModelTy0.modelTy
+  clone CreuSat_Logic_LogicUtil_SortedRev_Interface as SortedRev0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = (usize, usize),
+  type a = Type.alloc_alloc_global, axiom .
+  val sort_reverse [@cfg:stackify] (v : borrowed (Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global))) : ()
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/util.rs" 11 0 11 27] SortedRev0.sorted_rev (Model0.model ( ^ v)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/util.rs" 12 0 12 36] PermutationOf0.permutation_of (Model0.model ( ^ v)) (Model1.model v) }
+    
+end
+module CreuSat_Decision_Impl1_New_Interface
   use mach.int.Int
+  use mach.int.Int32
+  use mach.int.UInt64
   use prelude.Prelude
   use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
   clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  clone CreuSat_Logic_LogicUtil_ElemsLessThan_Interface as ElemsLessThan0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = usize, type a = Type.alloc_alloc_global,
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
   axiom .
-  val increment_and_move [@cfg:stackify] (self : borrowed (Type.creusat_decision_decisions)) (f : Type.creusat_formula_formula) (v : Type.alloc_vec_vec usize (Type.alloc_alloc_global)) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 199 4 199 49] ElemsLessThan0.elems_less_than (Model0.model v) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 200 4 200 42] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < 18446744073709551615}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 201 4 201 30] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 202 4 202 51] Invariant1.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 202 4 202 51] Invariant1.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
+  val new [@cfg:stackify] (f : Type.creusat_formula_formula) : Type.creusat_decision_decisions
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 79 4 79 30] Invariant0.invariant' f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 80 4 80 63] 0 < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) /\ UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < div 18446744073709551615 2}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 81 4 81 45] Invariant1.invariant' result (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
+    
+end
+module CreuSat_Logic_LogicAssignments_Impl1_Complete_Interface
+  use Type
+  predicate complete (self : Type.creusat_assignments_assignments)
+end
+module CreuSat_Logic_LogicAssignments_Impl1_Complete
+  use Type
+  use mach.int.Int
+  use mach.int.Int32
+  use seq.Seq
+  clone CreuSat_Logic_Logic_Unset_Interface as Unset0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
+  predicate complete [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_assignments.rs" 55 4 55 33] (self : Type.creusat_assignments_assignments)
     
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_assignments.rs" 56 8 58 9] forall i : (int) . 0 <= i /\ i < Seq.length (Model0.model self) -> not Unset0.unset (Seq.get (Model0.model self) i)
 end
-module CreuSat_Decision_Impl1_IncrementAndMove
+module CreuSat_Decision_Impl1_GetNext_Interface
   use mach.int.UInt64
+  use Type
   use mach.int.Int
   use prelude.Prelude
-  use Type
   use seq.Seq
-  use mach.int.Int32
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant3 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant3.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model5 with function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant2 with function Model0.model = Model5.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant2.invariant',
-  function Model0.model = Model5.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model3 with function Model0.model = Model4.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model4.model,
-  predicate Invariant0.invariant' = Invariant2.invariant', function Model1.model = Model5.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model3.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = (usize, usize), type a = Type.alloc_alloc_global,
-  axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_decision_node,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant1 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicUtil_ElemsLessThan as ElemsLessThan0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicUtil_SortedRangeTupleZeroth as SortedRangeTupleZeroth0
-  clone CreuSat_Logic_LogicUtil_SortedTupleZeroth as SortedTupleZeroth0 with predicate SortedRangeTupleZeroth0.sorted_range_tuple_zeroth = SortedRangeTupleZeroth0.sorted_range_tuple_zeroth
-  clone CreusotContracts_Logic_Resolve_Impl2_Resolve as Resolve6 with type t = usize
-  clone CreusotContracts_Logic_Resolve_Impl0_Resolve as Resolve5 with type t1 = usize, type t2 = usize,
-  predicate Resolve0.resolve = Resolve6.resolve, predicate Resolve1.resolve = Resolve6.resolve
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_decision_decisions
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy3 with type t = (usize, usize),
-  type a = Type.alloc_alloc_global
-  clone CreusotContracts_Logic_Seq_Impl2_PermutationOf as PermutationOf0 with type t = (usize, usize)
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = (usize, usize)
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy2 with type t = (usize, usize)
-  clone Core_Slice_Index_Impl2_Output as Output2 with type t = (usize, usize)
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = (usize, usize)
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue2 with type t = (usize, usize)
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds2 with type t = (usize, usize)
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = Type.creusat_decision_node
-  clone Core_Slice_Index_Impl2_Output as Output1 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue1 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds1 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = usize
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = usize
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model7 with type t = Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy3.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Util_Sort_Interface as Sort0 with function Model0.model = Model1.model,
-  predicate SortedTupleZeroth0.sorted_tuple_zeroth = SortedTupleZeroth0.sorted_tuple_zeroth,
-  function Model1.model = Model7.model, predicate PermutationOf0.permutation_of = PermutationOf0.permutation_of
-  clone CreusotContracts_Std1_Vec_Impl1_Resolve as Resolve3 with type t = (usize, usize),
-  function Model0.model = Model1.model, predicate Resolve0.resolve = Resolve5.resolve
-  clone Alloc_Vec_Impl16_Index_Interface as Index2 with type t = (usize, usize), type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model1.model,
-  predicate InBounds0.in_bounds = InBounds2.in_bounds, predicate HasValue0.has_value = HasValue2.has_value,
-  type Output0.output = Output2.output
-  clone Alloc_Vec_Impl1_Len_Interface as Len1 with type t = (usize, usize), type a = Type.alloc_alloc_global,
-  function Model0.model = Model1.model
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = (usize, usize), type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model1.model,
-  predicate InBounds0.in_bounds = InBounds2.in_bounds, predicate HasValue0.has_value = HasValue2.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output2.output
-  clone Alloc_Vec_FromElem_Interface as FromElem0 with type t = (usize, usize), function Model0.model = Model1.model
-  clone Alloc_Vec_Impl16_Index_Interface as Index1 with type t = Type.creusat_decision_node, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model2.model,
-  predicate InBounds0.in_bounds = InBounds1.in_bounds, predicate HasValue0.has_value = HasValue1.has_value,
-  type Output0.output = Output1.output
-  clone CreuSat_Decision_Impl1_MoveToFront_Interface as MoveToFront0 with function Model0.model = Model2.model,
-  predicate Invariant0.invariant' = Invariant1.invariant'
-  clone CreusotContracts_Std1_Vec_Impl1_Resolve as Resolve4 with type t = usize, function Model0.model = Model0.model,
-  predicate Resolve0.resolve = Resolve6.resolve
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = usize, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model0.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = usize, type a = Type.alloc_alloc_global,
-  function Model0.model = Model0.model
-  let rec cfg increment_and_move [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 203 4 203 68] (self : borrowed (Type.creusat_decision_decisions)) (f : Type.creusat_formula_formula) (v : Type.alloc_vec_vec usize (Type.alloc_alloc_global)) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 199 4 199 49] ElemsLessThan0.elems_less_than (Model0.model v) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 200 4 200 42] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < 18446744073709551615}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 201 4 201 30] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 202 4 202 51] Invariant1.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 202 4 202 51] Invariant1.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
+  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicAssignments_Impl1_Complete_Interface as Complete0
+  clone CreuSat_Logic_Logic_Unset_Interface as Unset0
+  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_assignments_assignments,
+  type ModelTy0.modelTy = ModelTy0.modelTy
+  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant0
+  val get_next [@cfg:stackify] (self : borrowed (Type.creusat_decision_decisions)) (a : Type.creusat_assignments_assignments) (_f : Type.creusat_formula_formula) : Type.core_option_option usize
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 232 4 232 52] Invariant0.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 233 4 233 33] Invariant1.invariant' a _f}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 232 4 232 52] Invariant0.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/decision.rs" 234 4 237 7] match (result) with
+      | Type.Core_Option_Option_Some k -> UInt64.to_int k < Seq.length (Model0.model a) /\ Unset0.unset (Seq.get (Model0.model a) (UInt64.to_int k))
+      | Type.Core_Option_Option_None -> Complete0.complete a
+      end }
     
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_decision_decisions);
-  var f_2 : Type.creusat_formula_formula;
-  var v_3 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var counts_with_index_4 : Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global);
-  var _5 : (usize, usize);
-  var _6 : usize;
-  var _7 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  ghost var old_self_8 : borrowed (Type.creusat_decision_decisions);
-  var _9 : ();
-  var i_10 : usize;
-  var _11 : ();
-  var _12 : ();
-  var _13 : bool;
-  var _14 : usize;
-  var _15 : usize;
-  var _16 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _17 : usize;
-  var _18 : Type.creusat_decision_node;
-  var _19 : Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global);
-  var _20 : usize;
-  var _21 : usize;
-  var _22 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _23 : usize;
-  var _24 : usize;
-  var _25 : usize;
-  var _26 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _27 : usize;
-  var _28 : borrowed (usize, usize);
-  var _29 : borrowed (Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global));
-  var _30 : usize;
-  var _31 : ();
-  var _32 : ();
-  var _33 : ();
-  var _34 : ();
-  var _35 : borrowed (Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global));
-  var _36 : borrowed (Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global));
-  var _37 : bool;
-  var _38 : usize;
-  var _39 : usize;
-  var _40 : Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global);
-  var _41 : ();
-  var _42 : borrowed (Type.creusat_decision_decisions);
-  var _43 : usize;
-  var _44 : (usize, usize);
-  var _45 : Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global);
-  var _46 : usize;
-  var _47 : Type.creusat_formula_formula;
-  var _48 : ();
-  var _49 : ();
-  var _50 : ();
-  {
-    self_1 <- self;
-    f_2 <- f;
-    v_3 <- v;
-    goto BB0
-  }
-  BB0 {
-    goto BB1
-  }
-  BB1 {
-    _5 <- ((0 : usize), (0 : usize));
-    _7 <- v_3;
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 204 70 204 77] Len0.len _7);
-    goto BB2
-  }
-  BB2 {
-    counts_with_index_4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 204 57 204 78] FromElem0.from_elem _5 _6);
-    goto BB3
-  }
-  BB3 {
-    _9 <- ();
-    old_self_8 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 205 23 205 38] self_1);
-    goto BB4
-  }
-  BB4 {
-    i_10 <- (0 : usize);
-    goto BB5
-  }
-  BB5 {
-    goto BB6
-  }
-  BB6 {
-    goto BB7
-  }
-  BB7 {
-    invariant unch { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 207 8 207 52] old_self_8 = self_1 };
-    invariant proph { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 208 8 208 55]  ^ old_self_8 =  ^ self_1 };
-    invariant len_same { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 209 8 209 72] Seq.length (Model0.model v_3) = Seq.length (Model1.model counts_with_index_4) };
-    invariant all_less { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 210 8 211 68] forall j : (int) . 0 <= j && j < UInt64.to_int i_10 -> UInt64.to_int (let (_, a) = Seq.get (Model1.model counts_with_index_4) j in a) < Seq.length (Model2.model (Type.creusat_decision_decisions_Decisions_linked_list ( * self_1))) };
-    _14 <- i_10;
-    _16 <- v_3;
-    _15 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 212 18 212 25] Len0.len _16);
-    goto BB8
-  }
-  BB8 {
-    _13 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 212 14 212 25] _14 < _15);
-    switch (_13)
-      | False -> goto BB14
-      | _ -> goto BB9
-      end
-  }
-  BB9 {
-    _19 <- Type.creusat_decision_decisions_Decisions_linked_list ( * self_1);
-    _22 <- v_3;
-    _23 <- i_10;
-    _21 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 213 53 213 57] Index0.index _22 _23);
-    goto BB10
-  }
-  BB10 {
-    _20 <- _21;
-    _18 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 213 36 213 58] Index1.index _19 _20);
-    goto BB11
-  }
-  BB11 {
-    _17 <- Type.creusat_decision_node_Node_ts _18;
-    _26 <- v_3;
-    _27 <- i_10;
-    _25 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 213 63 213 67] Index0.index _26 _27);
-    goto BB12
-  }
-  BB12 {
-    _24 <- _25;
-    _29 <- borrow_mut counts_with_index_4;
-    counts_with_index_4 <-  ^ _29;
-    _30 <- i_10;
-    _28 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 213 12 213 32] IndexMut0.index_mut _29 _30);
-    goto BB13
-  }
-  BB13 {
-    _28 <- { _28 with current = (_17, _24) };
-    assume { Resolve0.resolve _28 };
-    i_10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 214 12 214 18] i_10 + (1 : usize));
-    _12 <- ();
-    goto BB7
-  }
-  BB14 {
-    _11 <- ();
-    _36 <- borrow_mut counts_with_index_4;
-    counts_with_index_4 <-  ^ _36;
-    _35 <- borrow_mut ( * _36);
-    _36 <- { _36 with current = ( ^ _35) };
-    _34 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 218 8 218 36] Sort0.sort _35);
-    goto BB15
-  }
-  BB15 {
-    assume { Resolve1.resolve _36 };
-    i_10 <- (0 : usize);
-    goto BB16
-  }
-  BB16 {
-    goto BB17
-  }
-  BB17 {
-    invariant proph { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 222 8 222 55]  ^ old_self_8 =  ^ self_1 };
-    invariant inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 223 8 223 54] Invariant1.invariant' ( * self_1) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_2)) };
-    invariant len_same { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 224 8 224 72] Seq.length (Model0.model v_3) = Seq.length (Model1.model counts_with_index_4) };
-    _38 <- i_10;
-    _40 <- counts_with_index_4;
-    _39 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 225 18 225 41] Len1.len _40);
-    goto BB18
-  }
-  BB18 {
-    _37 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 225 14 225 41] _38 < _39);
-    switch (_37)
-      | False -> goto BB22
-      | _ -> goto BB19
-      end
-  }
-  BB19 {
-    _42 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _42) };
-    _45 <- counts_with_index_4;
-    _46 <- i_10;
-    _44 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 226 31 226 51] Index2.index _45 _46);
-    goto BB20
-  }
-  BB20 {
-    _43 <- (let (_, a) = _44 in a);
-    _47 <- f_2;
-    _41 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 226 12 226 57] MoveToFront0.move_to_front _42 _43 _47);
-    goto BB21
-  }
-  BB21 {
-    i_10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 227 12 227 18] i_10 + (1 : usize));
-    _12 <- ();
-    goto BB17
-  }
-  BB22 {
-    assume { Resolve2.resolve self_1 };
-    _0 <- ();
-    goto BB23
-  }
-  BB23 {
-    assume { Resolve3.resolve counts_with_index_4 };
-    goto BB24
-  }
-  BB24 {
-    assume { Resolve4.resolve v_3 };
-    return _0
-  }
-  
 end
-module CreuSat_Formula_Impl0_Output
+module CreuSat_Formula_Impl1_IndexMut_Interface
+  use mach.int.UInt64
+  use seq.Seq
+  use mach.int.Int
+  use mach.int.Int32
+  use prelude.Prelude
   use Type
-  type output  =
-    Type.creusat_clause_clause
+  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicFormula_Impl0_Model_Interface as Model1
+  clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model0 with type t = Type.creusat_formula_formula,
+  type ModelTy0.modelTy = ModelTy0.modelTy
+  val index_mut [@cfg:stackify] (self : borrowed (Type.creusat_formula_formula)) (ix : usize) : borrowed (Type.creusat_clause_clause)
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 43 4 43 38] UInt64.to_int ix < Seq.length (let (a, _) = Model0.model self in a)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 44 4 44 42] Seq.get (let (a, _) = Model1.model ( * self) in a) (UInt64.to_int ix) =  * result }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 45 4 45 42] Seq.get (let (a, _) = Model1.model ( ^ self) in a) (UInt64.to_int ix) =  ^ result }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 46 4 46 107] forall i : (int) . 0 <= i /\ i <> UInt64.to_int ix /\ i < Seq.length (let (a, _) = Model0.model self in a) -> Seq.get (let (a, _) = Model0.model self in a) i = Seq.get (let (a, _) = Model1.model ( ^ self) in a) i }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 47 4 47 52] Seq.length (let (a, _) = Model1.model ( ^ self) in a) = Seq.length (let (a, _) = Model1.model ( * self) in a) }
+    
 end
-module CreuSat_Formula_Impl0
+module CreuSat_Formula_Impl2_CheckFormulaInvariant_Interface
   use Type
   use mach.int.Int
-  use prelude.Prelude
+  use mach.int.Int32
   use mach.int.UInt64
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model1 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Formula_Impl0_Index_Interface as Index0 with function Model0.model = Model0.model
-  clone CreuSat_Formula_Impl0_Output as Output0
-  clone Core_Ops_Index_Index_Index_Interface as Index1 with type self = Type.creusat_formula_formula, type idx = usize,
-  val index = Index0.index, type Output0.output = Output0.output
-  clone Core_Ops_Index_Index_Output as Output1 with type self = Type.creusat_formula_formula, type idx = usize,
-  type output = Output0.output
-end
-module CreusotContracts_Std1_Clone_Clone_Clone_Interface
-  type self
   use prelude.Prelude
-  val clone' [@cfg:stackify] (self : self) : self
-    ensures { result = self }
+  use prelude.UInt8
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  clone CreuSat_Logic_LogicFormula_Impl2_NotSatisfiable_Interface as NotSatisfiable0
+  clone CreuSat_Logic_LogicFormula_FormulaSatInner_Interface as FormulaSatInner0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = uint8, type a = Type.alloc_alloc_global,
+  axiom .
+  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_formula_formula,
+  type ModelTy0.modelTy = ModelTy0.modelTy
+  val check_formula_invariant [@cfg:stackify] (self : Type.creusat_formula_formula) : Type.creusat_solver_satresult
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 60 4 65 7] match (result) with
+      | Type.CreuSat_Solver_SatResult_Sat assn -> FormulaSatInner0.formula_sat_inner (Model0.model self) (Model1.model assn)
+      | Type.CreuSat_Solver_SatResult_Unsat -> NotSatisfiable0.not_satisfiable self
+      | Type.CreuSat_Solver_SatResult_Unknown -> Invariant0.invariant' self /\ 0 < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars self) /\ UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars self) < div 18446744073709551615 2
+      | Type.CreuSat_Solver_SatResult_Err -> true
+      end }
     
 end
-module CreusotContracts_Std1_Clone_Clone_Clone
-  type self
-  use prelude.Prelude
-  val clone' [@cfg:stackify] (self : self) : self
-    ensures { result = self }
+module CreuSat_Logic_LogicClause_Impl2_Sat_Interface
+  use Type
+  predicate sat (self : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments)
+end
+module CreuSat_Logic_LogicClause_Impl2_Sat
+  use Type
+  clone CreuSat_Logic_LogicClause_Impl2_SatInner_Interface as SatInner0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
+  predicate sat [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 166 4 166 44] (self : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments)
     
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 167 8 169 9] SatInner0.sat_inner self (Model0.model a)
 end
-module CreuSat_Clause_Impl2
+module CreuSat_Lit_Impl1_LitSat_Interface
+  use seq.Seq
   use Type
-  clone CreuSat_Clause_Impl2_Clone_Interface as Clone0
-  clone CreusotContracts_Std1_Clone_Clone_Clone_Interface as Clone1 with type self = Type.creusat_clause_clause,
-  val clone' = Clone0.clone'
+  use prelude.Prelude
+  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicLit_Impl1_Sat_Interface as Sat0
+  clone CreuSat_Logic_LogicLit_Impl1_Invariant_Interface as Invariant0
+  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_assignments_assignments,
+  type ModelTy0.modelTy = ModelTy0.modelTy
+  val lit_sat [@cfg:stackify] (self : Type.creusat_lit_lit) (a : Type.creusat_assignments_assignments) : bool
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 51 4 51 43] Invariant0.invariant' self (Seq.length (Model0.model a))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 52 4 52 38] result = Sat0.sat self a }
+    
 end
-module CreuSat_ConflictAnalysis_AnalyzeConflict_Interface
+module CreuSat_Formula_Impl2_IsClauseSat_Interface
   use mach.int.UInt64
+  use seq.Seq
   use mach.int.Int
   use prelude.Prelude
-  use seq.Seq
   use Type
-  use mach.int.Int32
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner_Interface as EquisatExtensionInner0
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model2 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner_Interface as NoDuplicateIndexesInner0
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner_Interface as VarsInRangeInner0
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant3
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable_Interface as NotSatisfiable0
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicClause_Impl2_Unsat_Interface as Unsat0
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicClause_Impl2_Sat_Interface as Sat0
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
   axiom .
-  val analyze_conflict [@cfg:stackify] (f : Type.creusat_formula_formula) (trail : Type.creusat_trail_trail) (cref : usize) (d : borrowed (Type.creusat_decision_decisions)) : Type.creusat_conflictanalysis_conflict
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 161 0 161 26] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 162 0 162 38] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < 18446744073709551615}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 163 0 163 32] Invariant1.invariant' trail f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 164 0 164 39] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 165 0 165 57] Unsat0.unsat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref)) (Type.creusat_trail_trail_Trail_assignments trail)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 191 0 191 44] Invariant2.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 166 0 190 3] match (result) with
-      | Type.CreuSat_ConflictAnalysis_Conflict_Ground -> NotSatisfiable0.not_satisfiable f
-      | Type.CreuSat_ConflictAnalysis_Conflict_Unit clause -> Invariant3.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) && Seq.length (Model1.model clause) = 1 && VarsInRangeInner0.vars_in_range_inner (Model1.model clause) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) && NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model1.model clause) && EquisatExtensionInner0.equisat_extension_inner clause (Model2.model f)
-      | Type.CreuSat_ConflictAnalysis_Conflict_Learned s_idx clause -> Invariant3.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) && Seq.length (Model1.model clause) > 1 && VarsInRangeInner0.vars_in_range_inner (Model1.model clause) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) && NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model1.model clause) && EquisatExtensionInner0.equisat_extension_inner clause (Model2.model f) && UInt64.to_int s_idx < Seq.length (Model1.model clause)
-      | Type.CreuSat_ConflictAnalysis_Conflict_Restart clause -> Invariant3.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) && Seq.length (Model1.model clause) > 1 && VarsInRangeInner0.vars_in_range_inner (Model1.model clause) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) && NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model1.model clause) && EquisatExtensionInner0.equisat_extension_inner clause (Model2.model f)
-      end }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 191 0 191 44] Invariant2.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
+  val is_clause_sat [@cfg:stackify] (self : Type.creusat_formula_formula) (idx : usize) (a : Type.creusat_assignments_assignments) : bool
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 92 4 92 33] Invariant0.invariant' self}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 93 4 93 35] Invariant1.invariant' a self}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 94 4 94 45] UInt64.to_int idx < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses self))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 95 4 95 55] result = Sat0.sat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) (UInt64.to_int idx)) a }
     
 end
-module CreuSat_ConflictAnalysis_AnalyzeConflict
-  use mach.int.UInt64
+module CreuSat_Logic_LogicWatches_WatchesInvariantInternal_Interface
+  use seq.Seq
+  use Type
   use mach.int.Int
-  use prelude.Prelude
+  predicate watches_invariant_internal (w : Seq.seq (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global))) (n : int) (f : Type.creusat_formula_formula)
+    
+end
+module CreuSat_Logic_LogicWatches_WatchesInvariantInternal
   use seq.Seq
   use Type
+  use mach.int.Int
   use mach.int.Int32
-  use prelude.UInt8
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model10 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model7 with function Model0.model = Model10.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant5 with function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicUtil_ElemsLessThan as ElemsLessThan0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = bool, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model7.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant4 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant4.invariant'
-  clone CreuSat_Logic_LogicLit_IdxInLogic as IdxInLogic0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model9.model
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner1 with function Model0.model = Model1.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_UnsatInner as UnsatInner0 with function Model0.model = Model1.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Unsat as Unsat0 with function Model0.model = Model7.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_SameIdxSamePolarityExcept as SameIdxSamePolarityExcept0 with function Model0.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant3 with function Model0.model = Model1.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant3.invariant',
-  function Model0.model = Model1.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_decision_node,
+  use mach.int.UInt64
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model2
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant2 with function Model0.model = Model8.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_watches_watcher,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant7 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant6 with predicate Invariant0.invariant' = Invariant4.invariant',
-  predicate Invariant1.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model6 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicClause_Impl2_EquisatExtension as EquisatExtension0 with function Model0.model = Model6.model,
-  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable as NotSatisfiable0 with function Model0.model = Model1.model,
-  predicate EquisatExtension0.equisat_extension = EquisatExtension0.equisat_extension
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model2 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model0.model,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model1.model = Model1.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model6.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model5.model,
-  function Model1.model = Model7.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model5.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model5.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model4.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model7.model,
-  function Model1.model = Model5.model, predicate Invariant0.invariant' = Invariant6.invariant',
-  function Model2.model = Model4.model, function Model3.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant5.invariant', function Model0.model = Model5.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model4.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model7.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model4.model, function Model1.model = Model5.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  use mach.int.Int64
-  clone CreusotContracts_Logic_Int_Impl18_Model as Model17
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve8 with type t = Type.alloc_vec_vec usize (Type.alloc_alloc_global)
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve7 with type t = Type.alloc_vec_vec bool (Type.alloc_alloc_global)
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve6 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy7 with type t = usize, type a = Type.alloc_alloc_global
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy6 with type t = Type.creusat_trail_step
-  clone Core_Slice_Index_Impl2_Output as Output2 with type t = Type.creusat_trail_step
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue2 with type t = Type.creusat_trail_step
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds2 with type t = Type.creusat_trail_step
-  clone CreusotContracts_Logic_Resolve_Impl2_Resolve as Resolve10 with type t = bool
-  clone CreusotContracts_Logic_Resolve_Impl2_Resolve as Resolve9 with type t = usize
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_decision_decisions
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = usize
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy5 with type t = bool, type a = Type.alloc_alloc_global
-  clone CreusotContracts_Logic_Int_Impl18_ModelTy as ModelTy4
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model12 with type t = usize,
-  type ModelTy0.modelTy = ModelTy4.modelTy, function Model0.model = Model17.model
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy3 with type t = usize
-  clone Core_Slice_Index_Impl2_Output as Output1 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue1 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds1 with type t = usize
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = bool
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy2 with type t = bool
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = bool
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = bool
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = bool
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = bool
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy1
-  clone CreuSat_Clause_Impl2_Clone_Interface as Clone0
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model15 with type t = Type.alloc_vec_vec bool (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy5.modelTy, function Model0.model = Model3.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model13 with type t = Type.alloc_vec_vec bool (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy5.modelTy, function Model0.model = Model3.model
-  clone CreusotContracts_Std1_Vec_Impl1_Resolve as Resolve4 with type t = bool, function Model0.model = Model3.model,
-  predicate Resolve0.resolve = Resolve10.resolve
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = bool, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model3.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  clone Alloc_Vec_FromElem_Interface as FromElem0 with type t = bool, function Model0.model = Model3.model
-  clone CreuSat_Logic_LogicLit_Impl1_IsOpp as IsOpp0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Lit_Impl1_Index_Interface as Index2 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_ClauseIsSeen as ClauseIsSeen0 with function Model0.model = Model3.model,
-  function Model1.model = Model1.model, predicate IdxInLogic0.idx_in_logic = IdxInLogic0.idx_in_logic
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model14 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model1.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model11 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Clause_Impl0_Index_Interface as Index1 with function Model0.model = Model11.model
-  clone CreuSat_Clause_Impl3_Len_Interface as Len1 with function Model0.model = Model11.model
-  clone CreuSat_Logic_LogicClause_Impl2_InFormula as InFormula0 with function Model0.model = Model0.model
-  clone CreuSat_Formula_Impl0_Index_Interface as Index0 with function Model0.model = Model2.model
-  clone Alloc_Vec_Impl16_Index_Interface as Index4 with type t = Type.creusat_trail_step, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model5.model,
-  predicate InBounds0.in_bounds = InBounds2.in_bounds, predicate HasValue0.has_value = HasValue2.has_value,
-  type Output0.output = Output2.output
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_trail_step, type a = Type.alloc_alloc_global,
-  function Model0.model = Model5.model
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model16 with type t = Type.alloc_vec_vec usize (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy7.modelTy, function Model0.model = Model4.model
-  clone CreuSat_Decision_Impl1_IncrementAndMove_Interface as IncrementAndMove0 with function Model0.model = Model4.model,
-  predicate ElemsLessThan0.elems_less_than = ElemsLessThan0.elems_less_than,
-  predicate Invariant0.invariant' = Invariant0.invariant', predicate Invariant1.invariant' = Invariant2.invariant',
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreusotContracts_Std1_Vec_Impl1_Resolve as Resolve3 with type t = usize, function Model0.model = Model4.model,
-  predicate Resolve0.resolve = Resolve9.resolve
-  clone Alloc_Vec_Impl16_Index_Interface as Index3 with type t = usize, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model4.model,
-  predicate InBounds0.in_bounds = InBounds1.in_bounds, predicate HasValue0.has_value = HasValue1.has_value,
-  type Output0.output = Output1.output
-  clone Alloc_Vec_Impl1_Push_Interface as Push0 with type t = usize, type a = Type.alloc_alloc_global,
-  function Model0.model = Model4.model
-  clone Alloc_Vec_Impl0_New_Interface as New0 with type t = usize, function Model0.model = Model4.model
-  clone CreuSat_Trail_Impl0_DecisionLevel_Interface as DecisionLevel0 with function Model0.model = Model4.model
-  clone CreuSat_ConflictAnalysis_Resolve_Interface as Resolve5 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', predicate InFormula0.in_formula = InFormula0.in_formula,
-  function Model0.model = Model14.model, function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function Model1.model = Model11.model, predicate IsOpp0.is_opp = IsOpp0.is_opp,
-  predicate SameIdxSamePolarityExcept0.same_idx_same_polarity_except = SameIdxSamePolarityExcept0.same_idx_same_polarity_except,
-  function Model2.model = Model7.model, predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner, function Model3.model = Model12.model,
-  function Model4.model = Model15.model, function Model5.model = Model16.model,
-  predicate ElemsLessThan0.elems_less_than = ElemsLessThan0.elems_less_than, function Model6.model = Model2.model,
-  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner,
-  predicate ClauseIsSeen0.clause_is_seen = ClauseIsSeen0.clause_is_seen, predicate Unsat0.unsat = Unsat0.unsat,
-  predicate Invariant2.invariant' = Invariant3.invariant', function Model7.model = Model1.model,
-  function Model8.model = Model3.model, function Model9.model = Model4.model,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_ConflictAnalysis_ChooseLiteral_Interface as ChooseLiteral0 with predicate Invariant0.invariant' = Invariant1.invariant',
-  predicate Unsat0.unsat = Unsat0.unsat, function Model0.model = Model12.model, function Model1.model = Model5.model,
-  function Model2.model = Model13.model, function Model3.model = Model11.model, predicate IsOpp0.is_opp = IsOpp0.is_opp,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  let rec cfg analyze_conflict [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 192 0 192 95] (f : Type.creusat_formula_formula) (trail : Type.creusat_trail_trail) (cref : usize) (d : borrowed (Type.creusat_decision_decisions)) : Type.creusat_conflictanalysis_conflict
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 161 0 161 26] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 162 0 162 38] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < 18446744073709551615}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 163 0 163 32] Invariant1.invariant' trail f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 164 0 164 39] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 165 0 165 57] Unsat0.unsat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref)) (Type.creusat_trail_trail_Trail_assignments trail)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 191 0 191 44] Invariant2.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 166 0 190 3] match (result) with
-      | Type.CreuSat_ConflictAnalysis_Conflict_Ground -> NotSatisfiable0.not_satisfiable f
-      | Type.CreuSat_ConflictAnalysis_Conflict_Unit clause -> Invariant3.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) && Seq.length (Model1.model clause) = 1 && VarsInRangeInner0.vars_in_range_inner (Model1.model clause) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) && NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model1.model clause) && EquisatExtensionInner0.equisat_extension_inner clause (Model2.model f)
-      | Type.CreuSat_ConflictAnalysis_Conflict_Learned s_idx clause -> Invariant3.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) && Seq.length (Model1.model clause) > 1 && VarsInRangeInner0.vars_in_range_inner (Model1.model clause) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) && NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model1.model clause) && EquisatExtensionInner0.equisat_extension_inner clause (Model2.model f) && UInt64.to_int s_idx < Seq.length (Model1.model clause)
-      | Type.CreuSat_ConflictAnalysis_Conflict_Restart clause -> Invariant3.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) && Seq.length (Model1.model clause) > 1 && VarsInRangeInner0.vars_in_range_inner (Model1.model clause) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) && NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model1.model clause) && EquisatExtensionInner0.equisat_extension_inner clause (Model2.model f)
-      end }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 191 0 191 44] Invariant2.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
+  predicate watches_invariant_internal [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 11 0 11 83] (w : Seq.seq (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global))) (n : int) (f : Type.creusat_formula_formula)
     
    =
-  var _0 : Type.creusat_conflictanalysis_conflict;
-  var f_1 : Type.creusat_formula_formula;
-  var trail_2 : Type.creusat_trail_trail;
-  var cref_3 : usize;
-  var d_4 : borrowed (Type.creusat_decision_decisions);
-  var decisionlevel_5 : usize;
-  var _6 : Type.creusat_trail_trail;
-  var to_bump_7 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var break_cond_8 : usize;
-  var _9 : bool;
-  var _10 : usize;
-  var path_c_11 : usize;
-  var seen_12 : Type.alloc_vec_vec bool (Type.alloc_alloc_global);
-  var _13 : usize;
-  var i_14 : usize;
-  var _15 : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global);
-  var clause_16 : Type.creusat_clause_clause;
-  var _17 : Type.creusat_clause_clause;
-  var _18 : Type.creusat_clause_clause;
-  var _19 : Type.creusat_formula_formula;
-  var _20 : usize;
-  var j_21 : usize;
-  var _22 : ();
-  var _23 : ();
-  var _24 : bool;
-  var _25 : usize;
-  var _26 : usize;
-  var _27 : Type.creusat_clause_clause;
-  var _28 : borrowed bool;
-  var _29 : borrowed (Type.alloc_vec_vec bool (Type.alloc_alloc_global));
-  var _30 : usize;
-  var _31 : Type.creusat_lit_lit;
-  var _32 : Type.creusat_lit_lit;
-  var _33 : Type.creusat_clause_clause;
-  var _34 : usize;
-  var _35 : ();
-  var _36 : borrowed (Type.alloc_vec_vec usize (Type.alloc_alloc_global));
-  var _37 : usize;
-  var _38 : Type.creusat_lit_lit;
-  var _39 : Type.creusat_lit_lit;
-  var _40 : Type.creusat_clause_clause;
-  var _41 : usize;
-  var _42 : ();
-  var _43 : bool;
-  var _44 : usize;
-  var _45 : usize;
-  var _46 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _47 : usize;
-  var _48 : Type.creusat_lit_lit;
-  var _49 : Type.creusat_lit_lit;
-  var _50 : Type.creusat_clause_clause;
-  var _51 : usize;
-  var _52 : usize;
-  var _53 : ();
-  var _54 : ();
-  var _55 : ();
-  var clause_56 : Type.creusat_clause_clause;
-  var _57 : ();
-  var _58 : bool;
-  var _59 : usize;
-  var _60 : usize;
-  var c_idx_61 : usize;
-  var _62 : Type.core_option_option usize;
-  var _63 : Type.creusat_clause_clause;
-  var _64 : Type.creusat_clause_clause;
-  var _65 : Type.creusat_trail_trail;
-  var _66 : borrowed usize;
-  var _67 : borrowed usize;
-  var _68 : Type.creusat_formula_formula;
-  var _69 : Type.alloc_vec_vec bool (Type.alloc_alloc_global);
-  var _70 : Type.alloc_vec_vec bool (Type.alloc_alloc_global);
-  var _71 : isize;
-  var c_idx_72 : usize;
-  var _73 : ();
-  var ante_74 : Type.creusat_clause_clause;
-  var _75 : Type.creusat_trail_reason;
-  var _76 : Type.creusat_trail_step;
-  var _77 : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global);
-  var _78 : usize;
-  var _79 : isize;
-  var c_80 : usize;
-  var _81 : Type.creusat_clause_clause;
-  var _82 : Type.creusat_formula_formula;
-  var _83 : usize;
-  var c_84 : usize;
-  var _85 : Type.creusat_clause_clause;
-  var _86 : Type.creusat_clause_clause;
-  var _87 : Type.creusat_formula_formula;
-  var _88 : usize;
-  var _89 : ();
-  var idx_90 : usize;
-  var _91 : Type.creusat_lit_lit;
-  var _92 : Type.creusat_trail_step;
-  var _93 : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global);
-  var _94 : usize;
-  var _95 : ();
-  var _96 : ();
-  var _97 : Type.creusat_formula_formula;
-  var _98 : borrowed (Type.creusat_clause_clause);
-  var _99 : borrowed (Type.creusat_clause_clause);
-  var _100 : Type.creusat_clause_clause;
-  var _101 : usize;
-  var _102 : usize;
-  var _103 : Type.creusat_trail_trail;
-  var _104 : Type.creusat_trail_trail;
-  var _105 : borrowed (Type.alloc_vec_vec bool (Type.alloc_alloc_global));
-  var _106 : borrowed (Type.alloc_vec_vec bool (Type.alloc_alloc_global));
-  var _107 : borrowed usize;
-  var _108 : borrowed usize;
-  var _109 : borrowed (Type.alloc_vec_vec usize (Type.alloc_alloc_global));
-  var _110 : borrowed (Type.alloc_vec_vec usize (Type.alloc_alloc_global));
-  var _111 : ();
-  var _112 : ();
-  var _113 : ();
-  var _114 : ();
-  var _115 : borrowed (Type.creusat_decision_decisions);
-  var _116 : Type.creusat_formula_formula;
-  var _117 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _118 : bool;
-  var _119 : usize;
-  var _120 : Type.creusat_clause_clause;
-  var _121 : bool;
-  var _122 : usize;
-  var _123 : Type.creusat_clause_clause;
-  var _124 : Type.creusat_clause_clause;
-  var _125 : ();
-  var _126 : bool;
-  var _127 : usize;
-  var _128 : usize;
-  var _129 : ();
-  var _130 : Type.creusat_clause_clause;
-  var k_131 : usize;
-  var s_idx_132 : usize;
-  var _133 : ();
-  var _134 : bool;
-  var _135 : usize;
-  var _136 : usize;
-  var _137 : Type.creusat_clause_clause;
-  var _138 : ();
-  var _139 : bool;
-  var _140 : usize;
-  var _141 : usize;
-  var _142 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _143 : usize;
-  var _144 : Type.creusat_lit_lit;
-  var _145 : Type.creusat_lit_lit;
-  var _146 : Type.creusat_clause_clause;
-  var _147 : usize;
-  var _148 : usize;
-  var _149 : ();
-  var _150 : usize;
-  var _151 : ();
-  var _152 : ();
-  var _153 : ();
-  var _154 : usize;
-  var _155 : Type.creusat_clause_clause;
-  {
-    f_1 <- f;
-    trail_2 <- trail;
-    cref_3 <- cref;
-    d_4 <- d;
-    goto BB0
-  }
-  BB0 {
-    _6 <- trail_2;
-    decisionlevel_5 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 193 24 193 46] DecisionLevel0.decision_level _6);
-    goto BB1
-  }
-  BB1 {
-    to_bump_7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 194 22 194 32] New0.new ());
-    goto BB2
-  }
-  BB2 {
-    _10 <- decisionlevel_5;
-    _9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 195 24 195 42] _10 = (0 : usize));
-    switch (_9)
-      | False -> goto BB4
-      | _ -> goto BB3
-      end
-  }
-  BB3 {
-    break_cond_8 <- (0 : usize);
-    goto BB5
-  }
-  BB4 {
-    break_cond_8 <- (1 : usize);
-    goto BB5
-  }
-  BB5 {
-    path_c_11 <- (0 : usize);
-    _13 <- Type.creusat_formula_formula_Formula_num_vars f_1;
-    seen_12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 197 19 197 42] FromElem0.from_elem false _13);
-    goto BB6
-  }
-  BB6 {
-    _15 <- Type.creusat_trail_trail_Trail_trail trail_2;
-    i_14 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 198 16 198 33] Len0.len _15);
-    goto BB7
-  }
-  BB7 {
-    _19 <- f_1;
-    _20 <- cref_3;
-    _18 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 199 17 199 24] Index0.index _19 _20);
-    goto BB8
-  }
-  BB8 {
-    _17 <- _18;
-    clause_16 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 199 17 199 32] Clone0.clone' _17);
-    goto BB9
-  }
-  BB9 {
-    j_21 <- (0 : usize);
-    goto BB10
-  }
-  BB10 {
-    goto BB11
-  }
-  BB11 {
-    goto BB12
-  }
-  BB12 {
-    goto BB13
-  }
-  BB13 {
-    goto BB14
-  }
-  BB14 {
-    invariant seen_is_clause { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 201 4 202 98] forall idx : (int) . 0 <= idx && idx < Seq.length (Model3.model seen_12) -> Seq.get (Model3.model seen_12) idx = (exists i : (int) . 0 <= i && i < UInt64.to_int j_21 && IndexLogic0.index_logic (Seq.get (Model1.model clause_16) i) = idx) };
-    invariant seen_len { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 203 4 203 56] Seq.length (Model3.model seen_12) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1) };
-    invariant path_c_less { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 204 4 204 44] UInt64.to_int path_c_11 <= UInt64.to_int j_21 };
-    invariant j_is_len { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 205 4 205 49] UInt64.to_int j_21 <= Seq.length (Model1.model clause_16) };
-    invariant elems_less { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 206 4 206 68] ElemsLessThan0.elems_less_than (Model4.model to_bump_7) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1)) };
-    _25 <- j_21;
-    _27 <- clause_16;
-    _26 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 207 14 207 26] Len1.len _27);
-    goto BB15
-  }
-  BB15 {
-    _24 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 207 10 207 26] _25 < _26);
-    switch (_24)
-      | False -> goto BB29
-      | _ -> goto BB16
-      end
-  }
-  BB16 {
-    _29 <- borrow_mut seen_12;
-    seen_12 <-  ^ _29;
-    _33 <- clause_16;
-    _34 <- j_21;
-    _32 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 208 13 208 22] Index1.index _33 _34);
-    goto BB17
-  }
-  BB17 {
-    _31 <- _32;
-    _30 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 208 13 208 30] Index2.index _31);
-    goto BB18
-  }
-  BB18 {
-    _28 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 208 8 208 31] IndexMut0.index_mut _29 _30);
-    goto BB19
-  }
-  BB19 {
-    _28 <- { _28 with current = true };
-    assume { Resolve0.resolve _28 };
-    _36 <- borrow_mut to_bump_7;
-    to_bump_7 <-  ^ _36;
-    _40 <- clause_16;
-    _41 <- j_21;
-    _39 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 209 21 209 30] Index1.index _40 _41);
-    goto BB20
-  }
-  BB20 {
-    _38 <- _39;
-    _37 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 209 21 209 38] Index2.index _38);
-    goto BB21
-  }
-  BB21 {
-    _35 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 209 8 209 39] Push0.push _36 _37);
-    goto BB22
-  }
-  BB22 {
-    _46 <- Type.creusat_trail_trail_Trail_lit_to_level trail_2;
-    _50 <- clause_16;
-    _51 <- j_21;
-    _49 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 210 30 210 39] Index1.index _50 _51);
-    goto BB23
-  }
-  BB23 {
-    _48 <- _49;
-    _47 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 210 30 210 47] Index2.index _48);
-    goto BB24
-  }
-  BB24 {
-    _45 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 210 11 210 48] Index3.index _46 _47);
-    goto BB25
-  }
-  BB25 {
-    _44 <- _45;
-    _52 <- decisionlevel_5;
-    _43 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 210 11 210 65] _44 >= _52);
-    switch (_43)
-      | False -> goto BB27
-      | _ -> goto BB26
-      end
-  }
-  BB26 {
-    path_c_11 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 211 12 211 23] path_c_11 + (1 : usize));
-    _42 <- ();
-    goto BB28
-  }
-  BB27 {
-    _42 <- ();
-    goto BB28
-  }
-  BB28 {
-    j_21 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 213 8 213 14] j_21 + (1 : usize));
-    _23 <- ();
-    goto BB14
-  }
-  BB29 {
-    _22 <- ();
-    clause_56 <- clause_16;
-    goto BB30
-  }
-  BB30 {
-    goto BB31
-  }
-  BB31 {
-    goto BB32
-  }
-  BB32 {
-    goto BB33
-  }
-  BB33 {
-    goto BB34
-  }
-  BB34 {
-    goto BB35
-  }
-  BB35 {
-    goto BB36
-  }
-  BB36 {
-    goto BB37
-  }
-  BB37 {
-    invariant seen_len { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 216 4 216 56] Seq.length (Model3.model seen_12) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1) };
-    invariant seen_is_clause { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 217 4 218 54] forall idx : (int) . 0 <= idx && idx < Seq.length (Model3.model seen_12) -> Seq.get (Model3.model seen_12) idx = IdxInLogic0.idx_in_logic idx (Model1.model clause_56) };
-    invariant clause_vars { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 219 4 219 60] Invariant3.invariant' clause_56 (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1)) };
-    invariant clause_equi { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 220 4 220 66] EquisatExtensionInner0.equisat_extension_inner clause_56 (Model2.model f_1) };
-    invariant clause_unsat { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 221 4 221 63] Unsat0.unsat clause_56 (Type.creusat_trail_trail_Trail_assignments trail_2) };
-    invariant i_bound { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 222 4 222 64] 0 <= UInt64.to_int i_14 && UInt64.to_int i_14 <= Seq.length (Model5.model (Type.creusat_trail_trail_Trail_trail trail_2)) };
-    invariant path_c_less { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 223 4 223 57] UInt64.to_int path_c_11 <= Seq.length (Model1.model clause_56) };
-    invariant elems_less { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 224 4 224 68] ElemsLessThan0.elems_less_than (Model4.model to_bump_7) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1)) };
-    _59 <- path_c_11;
-    _60 <- break_cond_8;
-    _58 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 225 10 225 29] _59 > _60);
-    switch (_58)
-      | False -> goto BB54
-      | _ -> goto BB38
-      end
-  }
-  BB38 {
-    _64 <- clause_56;
-    _63 <- _64;
-    _65 <- trail_2;
-    _67 <- borrow_mut i_14;
-    i_14 <-  ^ _67;
-    _66 <- borrow_mut ( * _67);
-    _67 <- { _67 with current = ( ^ _66) };
-    _68 <- f_1;
-    _70 <- seen_12;
-    _69 <- _70;
-    _62 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 226 26 226 74] ChooseLiteral0.choose_literal _63 _65 _66 _68 _69);
-    goto BB39
-  }
-  BB39 {
-    assume { Resolve1.resolve _67 };
-    switch (_62)
-      | Type.Core_Option_Option_None -> goto BB40
-      | Type.Core_Option_Option_Some _ -> goto BB42
-      end
-  }
-  BB40 {
-    _57 <- ();
-    goto BB55
-  }
-  BB41 {
-    assume { Resolve2.resolve d_4 };
-    assume { Resolve3.resolve to_bump_7 };
-    assume { Resolve4.resolve seen_12 };
-    absurd
-  }
-  BB42 {
-    c_idx_72 <- Type.core_option_option_Some_0 _62;
-    c_idx_61 <- c_idx_72;
-    _77 <- Type.creusat_trail_trail_Trail_trail trail_2;
-    _78 <- i_14;
-    _76 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 230 26 230 40] Index4.index _77 _78);
-    goto BB43
-  }
-  BB43 {
-    _75 <- Type.creusat_trail_step_Step_reason _76;
-    switch (_75)
-      | Type.CreuSat_Trail_Reason_Unit _ -> goto BB47
-      | Type.CreuSat_Trail_Reason_Long _ -> goto BB45
-      | _ -> goto BB44
-      end
-  }
-  BB44 {
-    _57 <- ();
-    goto BB55
-  }
-  BB45 {
-    c_80 <- Type.creusat_trail_reason_Long_0 _75;
-    _82 <- f_1;
-    _83 <- c_80;
-    _81 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 231 32 231 37] Index0.index _82 _83);
-    goto BB46
-  }
-  BB46 {
-    ante_74 <- _81;
-    goto BB49
-  }
-  BB47 {
-    c_84 <- Type.creusat_trail_reason_Unit_0 _75;
-    _87 <- f_1;
-    _88 <- c_84;
-    _86 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 232 32 232 37] Index0.index _87 _88);
-    goto BB48
-  }
-  BB48 {
-    _85 <- _86;
-    ante_74 <- _85;
-    goto BB49
-  }
-  BB49 {
-    _93 <- Type.creusat_trail_trail_Trail_trail trail_2;
-    _94 <- i_14;
-    _92 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 235 18 235 32] Index4.index _93 _94);
-    goto BB50
-  }
-  BB50 {
-    _91 <- Type.creusat_trail_step_Step_lit _92;
-    idx_90 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 235 18 235 44] Index2.index _91);
-    goto BB51
-  }
-  BB51 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 236 8 236 72] SameIdxSamePolarityExcept0.same_idx_same_polarity_except clause_56 ante_74 (UInt64.to_int idx_90) };
-    goto BB52
-  }
-  BB52 {
-    _95 <- ();
-    _97 <- f_1;
-    _99 <- borrow_mut clause_56;
-    clause_56 <-  ^ _99;
-    _98 <- borrow_mut ( * _99);
-    _99 <- { _99 with current = ( ^ _98) };
-    _100 <- ante_74;
-    _101 <- idx_90;
-    _102 <- c_idx_61;
-    _104 <- trail_2;
-    _103 <- _104;
-    _106 <- borrow_mut seen_12;
-    seen_12 <-  ^ _106;
-    _105 <- borrow_mut ( * _106);
-    _106 <- { _106 with current = ( ^ _105) };
-    _108 <- borrow_mut path_c_11;
-    path_c_11 <-  ^ _108;
-    _107 <- borrow_mut ( * _108);
-    _108 <- { _108 with current = ( ^ _107) };
-    _110 <- borrow_mut to_bump_7;
-    to_bump_7 <-  ^ _110;
-    _109 <- borrow_mut ( * _110);
-    _110 <- { _110 with current = ( ^ _109) };
-    _96 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 237 8 237 95] Resolve5.resolve _97 _98 _100 _101 _102 _103 _105 _107 _109);
-    goto BB53
-  }
-  BB53 {
-    assume { Resolve6.resolve _99 };
-    assume { Resolve7.resolve _106 };
-    assume { Resolve1.resolve _108 };
-    assume { Resolve8.resolve _110 };
-    _23 <- ();
-    goto BB37
-  }
-  BB54 {
-    _57 <- ();
-    goto BB56
-  }
-  BB55 {
-    goto BB56
-  }
-  BB56 {
-    _115 <- borrow_mut ( * d_4);
-    d_4 <- { d_4 with current = ( ^ _115) };
-    _116 <- f_1;
-    assume { Resolve3.resolve _117 };
-    _117 <- to_bump_7;
-    _114 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 240 4 240 36] IncrementAndMove0.increment_and_move _115 _116 _117);
-    goto BB57
-  }
-  BB57 {
-    assume { Resolve2.resolve d_4 };
-    _120 <- clause_56;
-    _119 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 241 7 241 19] Len1.len _120);
-    goto BB58
-  }
-  BB58 {
-    _118 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 241 7 241 24] _119 = (0 : usize));
-    switch (_118)
-      | False -> goto BB60
-      | _ -> goto BB59
-      end
-  }
-  BB59 {
-    _0 <- Type.CreuSat_ConflictAnalysis_Conflict_Ground;
-    goto BB82
-  }
-  BB60 {
-    _123 <- clause_56;
-    _122 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 243 14 243 26] Len1.len _123);
-    goto BB61
-  }
-  BB61 {
-    _121 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 243 14 243 31] _122 = (1 : usize));
-    switch (_121)
-      | False -> goto BB64
-      | _ -> goto BB62
-      end
-  }
-  BB62 {
-    _124 <- clause_56;
-    _0 <- Type.CreuSat_ConflictAnalysis_Conflict_Unit _124;
-    goto BB63
-  }
-  BB63 {
-    goto BB81
-  }
-  BB64 {
-    _127 <- path_c_11;
-    _128 <- break_cond_8;
-    _126 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 247 11 247 30] _127 > _128);
-    switch (_126)
-      | False -> goto BB67
-      | _ -> goto BB65
-      end
-  }
-  BB65 {
-    _130 <- clause_56;
-    _0 <- Type.CreuSat_ConflictAnalysis_Conflict_Restart _130;
-    goto BB66
-  }
-  BB66 {
-    goto BB87
-  }
-  BB67 {
-    _125 <- ();
-    k_131 <- (0 : usize);
-    s_idx_132 <- (0 : usize);
-    goto BB68
-  }
-  BB68 {
-    goto BB69
-  }
-  BB69 {
-    goto BB70
-  }
-  BB70 {
-    invariant k_bound { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 252 8 252 52] UInt64.to_int k_131 <= Seq.length (Model1.model clause_56) };
-    invariant s_idx_ok { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 253 8 253 56] UInt64.to_int s_idx_132 < Seq.length (Model1.model clause_56) };
-    _135 <- k_131;
-    _137 <- clause_56;
-    _136 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 254 18 254 30] Len1.len _137);
-    goto BB71
-  }
-  BB71 {
-    _134 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 254 14 254 30] _135 < _136);
-    switch (_134)
-      | False -> goto BB78
-      | _ -> goto BB72
-      end
-  }
-  BB72 {
-    _142 <- Type.creusat_trail_trail_Trail_lit_to_level trail_2;
-    _146 <- clause_56;
-    _147 <- k_131;
-    _145 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 255 34 255 43] Index1.index _146 _147);
-    goto BB73
-  }
-  BB73 {
-    _144 <- _145;
-    _143 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 255 34 255 51] Index2.index _144);
-    goto BB74
-  }
-  BB74 {
-    _141 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 255 15 255 52] Index3.index _142 _143);
-    goto BB75
-  }
-  BB75 {
-    _140 <- _141;
-    _148 <- decisionlevel_5;
-    _139 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 255 15 255 69] _140 = _148);
-    switch (_139)
-      | False -> goto BB77
-      | _ -> goto BB76
-      end
-  }
-  BB76 {
-    _150 <- k_131;
-    s_idx_132 <- _150;
-    _133 <- ();
-    goto BB79
-  }
-  BB77 {
-    _138 <- ();
-    k_131 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 259 12 259 18] k_131 + (1 : usize));
-    _23 <- ();
-    goto BB70
-  }
-  BB78 {
-    _133 <- ();
-    goto BB79
-  }
-  BB79 {
-    _154 <- s_idx_132;
-    _155 <- clause_56;
-    _0 <- Type.CreuSat_ConflictAnalysis_Conflict_Learned _154 _155;
-    goto BB80
-  }
-  BB80 {
-    goto BB81
-  }
-  BB81 {
-    goto BB82
-  }
-  BB82 {
-    goto BB83
-  }
-  BB83 {
-    goto BB84
-  }
-  BB84 {
-    goto BB85
-  }
-  BB85 {
-    assume { Resolve4.resolve seen_12 };
-    goto BB86
-  }
-  BB86 {
-    goto BB91
-  }
-  BB87 {
-    goto BB88
-  }
-  BB88 {
-    goto BB89
-  }
-  BB89 {
-    assume { Resolve4.resolve seen_12 };
-    goto BB90
-  }
-  BB90 {
-    goto BB91
-  }
-  BB91 {
-    return _0
-  }
-  
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 12 4 20 5] 2 * n = Seq.length w /\ (forall i : (int) . 0 <= i /\ i < Seq.length w -> (forall j : (int) . 0 <= j /\ j < Seq.length (Model0.model (Seq.get w i)) -> UInt64.to_int (Type.creusat_watches_watcher_Watcher_cref (Seq.get (Model0.model (Seq.get w i)) j)) < Seq.length (Model1.model (Type.creusat_formula_formula_Formula_clauses f)) /\ Seq.length (Model2.model (Seq.get (Model1.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int (Type.creusat_watches_watcher_Watcher_cref (Seq.get (Model0.model (Seq.get w i)) j))))) > 1 /\ IndexLogic0.index_logic (Type.creusat_watches_watcher_Watcher_blocker (Seq.get (Model0.model (Seq.get w i)) j)) < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)))
 end
-module CreuSat_ConflictAnalysis_ResolveEmptyClause_Interface
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
+module CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface
   use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable_Interface as NotSatisfiable0
-  clone CreuSat_Logic_LogicClause_Impl2_Unsat_Interface as Unsat0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
+  predicate invariant' (self : Type.creusat_watches_watches) (f : Type.creusat_formula_formula)
+end
+module CreuSat_Logic_LogicWatches_Impl0_Invariant
+  use Type
+  use mach.int.UInt64
+  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal_Interface as WatchesInvariantInternal0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val resolve_empty_clause [@cfg:stackify] (f : Type.creusat_formula_formula) (trail : Type.creusat_trail_trail) (cref : usize) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 266 0 266 26] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 267 0 267 32] Invariant1.invariant' trail f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 268 0 268 39] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 269 0 269 57] Unsat0.unsat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref)) (Type.creusat_trail_trail_Trail_assignments trail)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 270 0 270 42] result -> NotSatisfiable0.not_satisfiable f }
+  predicate invariant' [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 67 4 67 46] (self : Type.creusat_watches_watches) (f : Type.creusat_formula_formula)
     
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 68 8 83 9] WatchesInvariantInternal0.watches_invariant_internal (Model0.model (Type.creusat_watches_watches_Watches_watches self)) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) f
 end
-module CreuSat_ConflictAnalysis_ResolveEmptyClause
-  use mach.int.UInt64
+module CreuSat_Logic_LogicFormula_Impl2_SatInner_Interface
+  use Type
   use seq.Seq
   use mach.int.Int
   use prelude.Prelude
+  use prelude.UInt8
+  predicate sat_inner (self : Type.creusat_formula_formula) (a : Seq.seq uint8)
+end
+module CreuSat_Logic_LogicFormula_Impl2_SatInner
   use Type
-  use mach.int.Int32
+  use seq.Seq
+  use mach.int.Int
+  use prelude.Prelude
   use prelude.UInt8
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model6 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant3 with function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model6.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant5 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_IdxInLogic as IdxInLogic0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model2 with function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner1 with function Model0.model = Model2.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model2.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model2.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant2 with function Model0.model = Model2.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant2.invariant',
-  function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicClause_Impl2_UnsatInner as UnsatInner0 with function Model0.model = Model2.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Unsat as Unsat0 with function Model0.model = Model6.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = bool, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl2_ClauseIsSeen as ClauseIsSeen0 with function Model0.model = Model1.model,
-  function Model1.model = Model2.model, predicate IdxInLogic0.idx_in_logic = IdxInLogic0.idx_in_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant6 with function Model0.model = Model0.model,
-  function Model1.model = Model2.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant4 with predicate Invariant0.invariant' = Invariant5.invariant',
-  predicate Invariant1.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant4.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model0.model,
-  function Model1.model = Model2.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model3 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicClause_Impl2_EquisatExtension as EquisatExtension0 with function Model0.model = Model3.model,
-  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable as NotSatisfiable0 with function Model0.model = Model2.model,
-  predicate EquisatExtension0.equisat_extension = EquisatExtension0.equisat_extension
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model0.model,
-  predicate Invariant0.invariant' = Invariant2.invariant', function Model1.model = Model2.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model3.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_trail_step,
+  use mach.int.Int32
+  clone CreuSat_Logic_LogicClause_Impl2_SatInner_Interface as SatInner0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model5.model,
-  function Model1.model = Model6.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model5.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model5.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model4.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model6.model,
-  function Model1.model = Model5.model, predicate Invariant0.invariant' = Invariant4.invariant',
-  function Model2.model = Model4.model, function Model3.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model0.model = Model5.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model4.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model6.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model4.model, function Model1.model = Model5.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  use mach.int.Int64
-  clone CreusotContracts_Logic_Int_Impl18_Model as Model16
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve7 with type t = Type.alloc_vec_vec usize (Type.alloc_alloc_global)
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve6 with type t = Type.alloc_vec_vec bool (Type.alloc_alloc_global)
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve5 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy6 with type t = usize, type a = Type.alloc_alloc_global
-  clone CreuSat_Logic_LogicUtil_ElemsLessThan as ElemsLessThan0
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy5 with type t = Type.creusat_trail_step
-  clone Core_Slice_Index_Impl2_Output as Output1 with type t = Type.creusat_trail_step
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue1 with type t = Type.creusat_trail_step
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds1 with type t = Type.creusat_trail_step
-  clone CreusotContracts_Logic_Resolve_Impl2_Resolve as Resolve9 with type t = usize
-  clone CreusotContracts_Logic_Resolve_Impl2_Resolve as Resolve8 with type t = bool
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = usize
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy4 with type t = bool, type a = Type.alloc_alloc_global
-  clone CreusotContracts_Logic_Int_Impl18_ModelTy as ModelTy3
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model11 with type t = usize,
-  type ModelTy0.modelTy = ModelTy3.modelTy, function Model0.model = Model16.model
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = bool
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy2 with type t = bool
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = bool
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = bool
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = bool
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = bool
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy1
-  clone CreuSat_Clause_Impl2_Clone_Interface as Clone0
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreuSat_Logic_LogicLit_Impl1_IsOpp as IsOpp0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Lit_Impl1_Index_Interface as Index2 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_SameIdxSamePolarityExcept as SameIdxSamePolarityExcept0 with function Model0.model = Model2.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model13 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model2.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model10 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model2.model
-  clone CreuSat_Clause_Impl0_Index_Interface as Index1 with function Model0.model = Model10.model
-  clone CreuSat_Clause_Impl3_Len_Interface as Len1 with function Model0.model = Model10.model
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model14 with type t = Type.alloc_vec_vec bool (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy4.modelTy, function Model0.model = Model1.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model12 with type t = Type.alloc_vec_vec bool (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy4.modelTy, function Model0.model = Model1.model
-  clone CreusotContracts_Std1_Vec_Impl1_Resolve as Resolve2 with type t = bool, function Model0.model = Model1.model,
-  predicate Resolve0.resolve = Resolve8.resolve
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = bool, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model1.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  clone Alloc_Vec_FromElem_Interface as FromElem0 with type t = bool, function Model0.model = Model1.model
-  clone CreuSat_Logic_LogicClause_Impl2_InFormula as InFormula0 with function Model0.model = Model0.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model9 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model3.model
-  clone CreuSat_Formula_Impl0_Index_Interface as Index0 with function Model0.model = Model9.model
-  clone Alloc_Vec_Impl16_Index_Interface as Index3 with type t = Type.creusat_trail_step, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model5.model,
-  predicate InBounds0.in_bounds = InBounds1.in_bounds, predicate HasValue0.has_value = HasValue1.has_value,
-  type Output0.output = Output1.output
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_trail_step, type a = Type.alloc_alloc_global,
-  function Model0.model = Model5.model
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model15 with type t = Type.alloc_vec_vec usize (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy6.modelTy, function Model0.model = Model4.model
-  clone CreusotContracts_Std1_Vec_Impl1_Resolve as Resolve3 with type t = usize, function Model0.model = Model4.model,
-  predicate Resolve0.resolve = Resolve9.resolve
-  clone Alloc_Vec_Impl0_New_Interface as New0 with type t = usize, function Model0.model = Model4.model
-  clone CreuSat_Trail_Impl0_DecisionLevel_Interface as DecisionLevel0 with function Model0.model = Model4.model
-  clone CreuSat_ConflictAnalysis_Resolve_Interface as Resolve4 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', predicate InFormula0.in_formula = InFormula0.in_formula,
-  function Model0.model = Model13.model, function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function Model1.model = Model10.model, predicate IsOpp0.is_opp = IsOpp0.is_opp,
-  predicate SameIdxSamePolarityExcept0.same_idx_same_polarity_except = SameIdxSamePolarityExcept0.same_idx_same_polarity_except,
-  function Model2.model = Model6.model, predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner, function Model3.model = Model11.model,
-  function Model4.model = Model14.model, function Model5.model = Model15.model,
-  predicate ElemsLessThan0.elems_less_than = ElemsLessThan0.elems_less_than, function Model6.model = Model9.model,
-  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner,
-  predicate ClauseIsSeen0.clause_is_seen = ClauseIsSeen0.clause_is_seen, predicate Unsat0.unsat = Unsat0.unsat,
-  predicate Invariant2.invariant' = Invariant2.invariant', function Model7.model = Model2.model,
-  function Model8.model = Model1.model, function Model9.model = Model4.model,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_ConflictAnalysis_ChooseLiteral_Interface as ChooseLiteral0 with predicate Invariant0.invariant' = Invariant1.invariant',
-  predicate Unsat0.unsat = Unsat0.unsat, function Model0.model = Model11.model, function Model1.model = Model5.model,
-  function Model2.model = Model12.model, function Model3.model = Model10.model, predicate IsOpp0.is_opp = IsOpp0.is_opp,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  let rec cfg resolve_empty_clause [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 271 0 271 76] (f : Type.creusat_formula_formula) (trail : Type.creusat_trail_trail) (cref : usize) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 266 0 266 26] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 267 0 267 32] Invariant1.invariant' trail f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 268 0 268 39] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 269 0 269 57] Unsat0.unsat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref)) (Type.creusat_trail_trail_Trail_assignments trail)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 270 0 270 42] result -> NotSatisfiable0.not_satisfiable f }
+  predicate sat_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 149 4 149 57] (self : Type.creusat_formula_formula) (a : Seq.seq uint8)
     
    =
-  var _0 : bool;
-  var f_1 : Type.creusat_formula_formula;
-  var trail_2 : Type.creusat_trail_trail;
-  var cref_3 : usize;
-  var decisionlevel_4 : usize;
-  var _5 : Type.creusat_trail_trail;
-  var seen_6 : Type.alloc_vec_vec bool (Type.alloc_alloc_global);
-  var _7 : usize;
-  var i_8 : usize;
-  var _9 : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global);
-  var clause_10 : Type.creusat_clause_clause;
-  var _11 : Type.creusat_clause_clause;
-  var _12 : Type.creusat_clause_clause;
-  var _13 : Type.creusat_formula_formula;
-  var _14 : usize;
-  var to_bump_15 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var j_16 : usize;
-  var _17 : ();
-  var _18 : ();
-  var _19 : bool;
-  var _20 : usize;
-  var _21 : usize;
-  var _22 : Type.creusat_clause_clause;
-  var _23 : borrowed bool;
-  var _24 : borrowed (Type.alloc_vec_vec bool (Type.alloc_alloc_global));
-  var _25 : usize;
-  var _26 : Type.creusat_lit_lit;
-  var _27 : Type.creusat_lit_lit;
-  var _28 : Type.creusat_clause_clause;
-  var _29 : usize;
-  var _30 : ();
-  var _31 : ();
-  var _32 : ();
-  var clause_33 : Type.creusat_clause_clause;
-  var _34 : ();
-  var c_idx_35 : usize;
-  var _36 : Type.core_option_option usize;
-  var _37 : Type.creusat_clause_clause;
-  var _38 : Type.creusat_clause_clause;
-  var _39 : Type.creusat_trail_trail;
-  var _40 : borrowed usize;
-  var _41 : borrowed usize;
-  var _42 : Type.creusat_formula_formula;
-  var _43 : Type.alloc_vec_vec bool (Type.alloc_alloc_global);
-  var _44 : Type.alloc_vec_vec bool (Type.alloc_alloc_global);
-  var _45 : isize;
-  var c_idx_46 : usize;
-  var _47 : ();
-  var ante_48 : Type.creusat_clause_clause;
-  var _49 : Type.creusat_trail_reason;
-  var _50 : Type.creusat_trail_step;
-  var _51 : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global);
-  var _52 : usize;
-  var _53 : isize;
-  var c_54 : usize;
-  var _55 : Type.creusat_clause_clause;
-  var _56 : Type.creusat_formula_formula;
-  var _57 : usize;
-  var _58 : ();
-  var path_c_59 : usize;
-  var _60 : ();
-  var _61 : Type.creusat_formula_formula;
-  var _62 : borrowed (Type.creusat_clause_clause);
-  var _63 : borrowed (Type.creusat_clause_clause);
-  var _64 : Type.creusat_clause_clause;
-  var _65 : usize;
-  var _66 : Type.creusat_lit_lit;
-  var _67 : Type.creusat_trail_step;
-  var _68 : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global);
-  var _69 : usize;
-  var _70 : usize;
-  var _71 : Type.creusat_trail_trail;
-  var _72 : Type.creusat_trail_trail;
-  var _73 : borrowed (Type.alloc_vec_vec bool (Type.alloc_alloc_global));
-  var _74 : borrowed (Type.alloc_vec_vec bool (Type.alloc_alloc_global));
-  var _75 : borrowed usize;
-  var _76 : borrowed usize;
-  var _77 : borrowed (Type.alloc_vec_vec usize (Type.alloc_alloc_global));
-  var _78 : borrowed (Type.alloc_vec_vec usize (Type.alloc_alloc_global));
-  var _79 : bool;
-  var _80 : usize;
-  var _81 : Type.creusat_clause_clause;
-  var _82 : ();
-  var _83 : ();
-  {
-    f_1 <- f;
-    trail_2 <- trail;
-    cref_3 <- cref;
-    goto BB0
-  }
-  BB0 {
-    _5 <- trail_2;
-    decisionlevel_4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 272 24 272 46] DecisionLevel0.decision_level _5);
-    goto BB1
-  }
-  BB1 {
-    _7 <- Type.creusat_formula_formula_Formula_num_vars f_1;
-    seen_6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 273 19 273 42] FromElem0.from_elem false _7);
-    goto BB2
-  }
-  BB2 {
-    _9 <- Type.creusat_trail_trail_Trail_trail trail_2;
-    i_8 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 274 16 274 33] Len0.len _9);
-    goto BB3
-  }
-  BB3 {
-    _13 <- f_1;
-    _14 <- cref_3;
-    _12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 275 17 275 24] Index0.index _13 _14);
-    goto BB4
-  }
-  BB4 {
-    _11 <- _12;
-    clause_10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 275 17 275 32] Clone0.clone' _11);
-    goto BB5
-  }
-  BB5 {
-    to_bump_15 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 276 22 276 32] New0.new ());
-    goto BB6
-  }
-  BB6 {
-    j_16 <- (0 : usize);
-    goto BB7
-  }
-  BB7 {
-    goto BB8
-  }
-  BB8 {
-    goto BB9
-  }
-  BB9 {
-    goto BB10
-  }
-  BB10 {
-    invariant seen_is_clause { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 278 4 279 98] forall idx : (int) . 0 <= idx && idx < Seq.length (Model1.model seen_6) -> Seq.get (Model1.model seen_6) idx = (exists i : (int) . 0 <= i && i < UInt64.to_int j_16 && IndexLogic0.index_logic (Seq.get (Model2.model clause_10) i) = idx) };
-    invariant seen_len { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 280 4 280 56] Seq.length (Model1.model seen_6) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1) };
-    invariant j_is_len { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 281 4 281 49] UInt64.to_int j_16 <= Seq.length (Model2.model clause_10) };
-    _20 <- j_16;
-    _22 <- clause_10;
-    _21 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 283 14 283 26] Len1.len _22);
-    goto BB11
-  }
-  BB11 {
-    _19 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 283 10 283 26] _20 < _21);
-    switch (_19)
-      | False -> goto BB16
-      | _ -> goto BB12
-      end
-  }
-  BB12 {
-    _24 <- borrow_mut seen_6;
-    seen_6 <-  ^ _24;
-    _28 <- clause_10;
-    _29 <- j_16;
-    _27 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 284 13 284 22] Index1.index _28 _29);
-    goto BB13
-  }
-  BB13 {
-    _26 <- _27;
-    _25 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 284 13 284 30] Index2.index _26);
-    goto BB14
-  }
-  BB14 {
-    _23 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 284 8 284 31] IndexMut0.index_mut _24 _25);
-    goto BB15
-  }
-  BB15 {
-    _23 <- { _23 with current = true };
-    assume { Resolve0.resolve _23 };
-    j_16 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 285 8 285 14] j_16 + (1 : usize));
-    _18 <- ();
-    goto BB10
-  }
-  BB16 {
-    _17 <- ();
-    clause_33 <- clause_10;
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 288 4 288 46] ClauseIsSeen0.clause_is_seen clause_33 seen_6 };
-    goto BB17
-  }
-  BB17 {
-    _34 <- ();
-    _38 <- clause_33;
-    _37 <- _38;
-    _39 <- trail_2;
-    _41 <- borrow_mut i_8;
-    i_8 <-  ^ _41;
-    _40 <- borrow_mut ( * _41);
-    _41 <- { _41 with current = ( ^ _40) };
-    _42 <- f_1;
-    _44 <- seen_6;
-    _43 <- _44;
-    _36 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 289 22 289 70] ChooseLiteral0.choose_literal _37 _39 _40 _42 _43);
-    goto BB18
-  }
-  BB18 {
-    assume { Resolve1.resolve _41 };
-    switch (_36)
-      | Type.Core_Option_Option_None -> goto BB19
-      | Type.Core_Option_Option_Some _ -> goto BB21
-      end
-  }
-  BB19 {
-    _0 <- false;
-    goto BB34
-  }
-  BB20 {
-    assume { Resolve2.resolve seen_6 };
-    assume { Resolve3.resolve to_bump_15 };
-    absurd
-  }
-  BB21 {
-    c_idx_46 <- Type.core_option_option_Some_0 _36;
-    c_idx_35 <- c_idx_46;
-    _51 <- Type.creusat_trail_trail_Trail_trail trail_2;
-    _52 <- i_8;
-    _50 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 293 22 293 36] Index3.index _51 _52);
-    goto BB22
-  }
-  BB22 {
-    _49 <- Type.creusat_trail_step_Step_reason _50;
-    switch (_49)
-      | Type.CreuSat_Trail_Reason_Unit _ -> goto BB24
-      | _ -> goto BB23
-      end
-  }
-  BB23 {
-    _0 <- false;
-    goto BB33
-  }
-  BB24 {
-    c_54 <- Type.creusat_trail_reason_Unit_0 _49;
-    _56 <- f_1;
-    _57 <- c_54;
-    _55 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 295 28 295 33] Index0.index _56 _57);
-    goto BB25
-  }
-  BB25 {
-    ante_48 <- _55;
-    path_c_59 <- (1 : usize);
-    _61 <- f_1;
-    _63 <- borrow_mut clause_33;
-    clause_33 <-  ^ _63;
-    _62 <- borrow_mut ( * _63);
-    _63 <- { _63 with current = ( ^ _62) };
-    _64 <- ante_48;
-    _68 <- Type.creusat_trail_trail_Trail_trail trail_2;
-    _69 <- i_8;
-    _67 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 299 34 299 48] Index3.index _68 _69);
-    goto BB26
-  }
-  BB26 {
-    _66 <- Type.creusat_trail_step_Step_lit _67;
-    _65 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 299 34 299 60] Index2.index _66);
-    goto BB27
-  }
-  BB27 {
-    _70 <- c_idx_35;
-    _72 <- trail_2;
-    _71 <- _72;
-    _74 <- borrow_mut seen_6;
-    seen_6 <-  ^ _74;
-    _73 <- borrow_mut ( * _74);
-    _74 <- { _74 with current = ( ^ _73) };
-    _76 <- borrow_mut path_c_59;
-    path_c_59 <-  ^ _76;
-    _75 <- borrow_mut ( * _76);
-    _76 <- { _76 with current = ( ^ _75) };
-    _78 <- borrow_mut to_bump_15;
-    to_bump_15 <-  ^ _78;
-    _77 <- borrow_mut ( * _78);
-    _78 <- { _78 with current = ( ^ _77) };
-    _60 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 299 4 299 114] Resolve4.resolve _61 _62 _64 _65 _70 _71 _73 _75 _77);
-    goto BB28
-  }
-  BB28 {
-    assume { Resolve5.resolve _63 };
-    assume { Resolve6.resolve _74 };
-    assume { Resolve1.resolve _76 };
-    assume { Resolve7.resolve _78 };
-    _81 <- clause_33;
-    _80 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 300 7 300 19] Len1.len _81);
-    goto BB29
-  }
-  BB29 {
-    _79 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/conflict_analysis.rs" 300 7 300 24] _80 = (0 : usize));
-    switch (_79)
-      | False -> goto BB31
-      | _ -> goto BB30
-      end
-  }
-  BB30 {
-    _0 <- true;
-    goto BB32
-  }
-  BB31 {
-    _0 <- false;
-    goto BB32
-  }
-  BB32 {
-    goto BB33
-  }
-  BB33 {
-    goto BB34
-  }
-  BB34 {
-    goto BB35
-  }
-  BB35 {
-    goto BB36
-  }
-  BB36 {
-    assume { Resolve3.resolve to_bump_15 };
-    goto BB37
-  }
-  BB37 {
-    goto BB38
-  }
-  BB38 {
-    assume { Resolve2.resolve seen_6 };
-    return _0
-  }
-  
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 150 8 153 9] forall i : (int) . 0 <= i /\ i < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) -> SatInner0.sat_inner (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) i) a
 end
-module CreuSat_Decision_Impl2_Clone_Interface
-  use prelude.Prelude
+module CreuSat_Logic_LogicFormula_Impl2_EventuallySatCompleteNoAss_Interface
   use Type
-  val clone' [@cfg:stackify] (self : Type.creusat_decision_node) : Type.creusat_decision_node
+  predicate eventually_sat_complete_no_ass (self : Type.creusat_formula_formula)
 end
-module CreuSat_Decision_Impl2_Clone
-  use prelude.Prelude
+module CreuSat_Logic_LogicFormula_Impl2_EventuallySatCompleteNoAss
   use Type
-  let rec cfg clone' [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 11 9 11 14] (self : Type.creusat_decision_node) : Type.creusat_decision_node
+  use seq.Seq
+  use mach.int.Int
+  use prelude.Prelude
+  use prelude.UInt8
+  use mach.int.UInt64
+  clone CreuSat_Logic_LogicFormula_Impl2_SatInner_Interface as SatInner0
+  clone CreuSat_Logic_LogicAssignments_CompleteInner_Interface as CompleteInner0
+  predicate eventually_sat_complete_no_ass [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 80 4 80 55] (self : Type.creusat_formula_formula)
     
    =
-  var _0 : Type.creusat_decision_node;
-  var self_1 : Type.creusat_decision_node;
-  {
-    self_1 <- self;
-    goto BB0
-  }
-  BB0 {
-    _0 <- self_1;
-    return _0
-  }
-  
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 81 8 83 9] exists a2 : (Seq.seq uint8) . Seq.length a2 = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars self) /\ CompleteInner0.complete_inner a2 /\ SatInner0.sat_inner self a2
 end
-module CreuSat_Decision_Impl0_Default_Interface
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
+module CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface
   use Type
-  val default [@cfg:stackify] (_ : ()) : Type.creusat_decision_node
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 21 4 21 43] UInt64.to_int (Type.creusat_decision_node_Node_next result) = 18446744073709551615 }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 22 4 22 43] UInt64.to_int (Type.creusat_decision_node_Node_prev result) = 18446744073709551615 }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 23 4 23 33] UInt64.to_int (Type.creusat_decision_node_Node_ts result) = 0 }
-    
+  predicate equisat (self : Type.creusat_formula_formula) (o : Type.creusat_formula_formula)
 end
-module CreuSat_Decision_Impl0_Default
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
+module CreuSat_Logic_LogicFormula_Impl2_Equisat
   use Type
-  let rec cfg default [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 24 4 24 24] (_ : ()) : Type.creusat_decision_node
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 21 4 21 43] UInt64.to_int (Type.creusat_decision_node_Node_next result) = 18446744073709551615 }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 22 4 22 43] UInt64.to_int (Type.creusat_decision_node_Node_prev result) = 18446744073709551615 }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 23 4 23 33] UInt64.to_int (Type.creusat_decision_node_Node_ts result) = 0 }
+  clone CreuSat_Logic_LogicFormula_Impl2_EventuallySatCompleteNoAss_Interface as EventuallySatCompleteNoAss0
+  predicate equisat [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 86 4 86 44] (self : Type.creusat_formula_formula) (o : Type.creusat_formula_formula)
     
    =
-  var _0 : Type.creusat_decision_node;
-  {
-    goto BB0
-  }
-  BB0 {
-    _0 <- Type.CreuSat_Decision_Node (18446744073709551615 : usize) (18446744073709551615 : usize) (0 : usize);
-    return _0
-  }
-  
-end
-module Core_Default_Default_Default_Interface
-  type self
-  val default [@cfg:stackify] (_ : ()) : self
-    requires {false}
-    
-end
-module Core_Default_Default_Default
-  type self
-  val default [@cfg:stackify] (_ : ()) : self
-    requires {false}
-    
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 85 4 85 16] EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass self = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass o
 end
-module CreuSat_Decision_Impl0
-  use Type
-  clone CreuSat_Decision_Impl0_Default_Interface as Default0
-  clone Core_Default_Default_Default_Interface as Default1 with type self = Type.creusat_decision_node,
-  val default = Default0.default
-end
-module CreuSat_Decision_Impl1_MakeLinkedList_Interface
-  use mach.int.Int
-  use mach.int.Int32
-  use mach.int.UInt64
-  use prelude.Prelude
+module CreuSat_Logic_LogicFormula_Compatible_Interface
   use seq.Seq
   use Type
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant1
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = usize, type a = Type.alloc_alloc_global,
-  axiom .
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val make_linked_list [@cfg:stackify] (f : Type.creusat_formula_formula) (lit_order : Type.alloc_vec_vec usize (Type.alloc_alloc_global)) : Type.creusat_decision_decisions
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 39 4 39 30] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 40 4 40 63] 0 < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) && UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 41 4 43 48] Seq.length (Model0.model lit_order) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) && (forall i : (int) . 0 <= i && i < Seq.length (Model0.model lit_order) -> UInt64.to_int (Seq.get (Model0.model lit_order) i) < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 44 4 44 45] Invariant1.invariant' result (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
+  use mach.int.Int
+  predicate compatible (f : (Seq.seq (Type.creusat_clause_clause), int)) (o : (Seq.seq (Type.creusat_clause_clause), int))
     
 end
-module CreuSat_Decision_Impl1_MakeLinkedList
-  use mach.int.Int
-  use mach.int.Int32
-  use mach.int.UInt64
-  use prelude.Prelude
+module CreuSat_Logic_LogicFormula_Compatible
   use seq.Seq
   use Type
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant3 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant3.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model4 with function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant2 with function Model0.model = Model4.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant2.invariant',
-  function Model0.model = Model4.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model2 with function Model0.model = Model3.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model3.model,
-  predicate Invariant0.invariant' = Invariant2.invariant', function Model1.model = Model4.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model2.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.creusat_decision_node,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant1 with function Model0.model = Model1.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Logic_Resolve_Impl2_Resolve as Resolve4 with type t = usize
-  clone CreusotContracts_Logic_Resolve_Impl2_Resolve as Resolve3 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = Type.creusat_decision_node
-  clone Core_Slice_Index_Impl2_Output as Output1 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue1 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds1 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = usize
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = usize
-  clone CreuSat_Decision_Impl0_Default_Interface as Default0
-  clone CreusotContracts_Std1_Vec_Impl1_Resolve as Resolve1 with type t = Type.creusat_decision_node,
-  function Model0.model = Model1.model, predicate Resolve0.resolve = Resolve3.resolve
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = Type.creusat_decision_node, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model1.model,
-  predicate InBounds0.in_bounds = InBounds1.in_bounds, predicate HasValue0.has_value = HasValue1.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output1.output
-  clone Alloc_Vec_FromElem_Interface as FromElem0 with type t = Type.creusat_decision_node,
-  function Model0.model = Model1.model
-  clone CreusotContracts_Std1_Vec_Impl1_Resolve as Resolve2 with type t = usize, function Model0.model = Model0.model,
-  predicate Resolve0.resolve = Resolve4.resolve
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = usize, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model0.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  let rec cfg make_linked_list [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 45 4 45 76] (f : Type.creusat_formula_formula) (lit_order : Type.alloc_vec_vec usize (Type.alloc_alloc_global)) : Type.creusat_decision_decisions
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 39 4 39 30] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 40 4 40 63] 0 < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) && UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 41 4 43 48] Seq.length (Model0.model lit_order) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) && (forall i : (int) . 0 <= i && i < Seq.length (Model0.model lit_order) -> UInt64.to_int (Seq.get (Model0.model lit_order) i) < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 44 4 44 45] Invariant1.invariant' result (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
+  use mach.int.Int
+  use mach.int.Int32
+  clone CreuSat_Logic_LogicClause_Impl2_Equals_Interface as Equals0
+  predicate compatible [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 61 0 61 67] (f : (Seq.seq (Type.creusat_clause_clause), int)) (o : (Seq.seq (Type.creusat_clause_clause), int))
     
    =
-  var _0 : Type.creusat_decision_decisions;
-  var f_1 : Type.creusat_formula_formula;
-  var lit_order_2 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var iNVALID'_3 : usize;
-  var linked_list_4 : Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global);
-  var _5 : Type.creusat_decision_node;
-  var _6 : usize;
-  var i_7 : usize;
-  var head_8 : usize;
-  var _9 : ();
-  var _10 : ();
-  var _11 : bool;
-  var _12 : usize;
-  var _13 : usize;
-  var j_14 : usize;
-  var _15 : usize;
-  var _16 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _17 : usize;
-  var _18 : ();
-  var _19 : bool;
-  var _20 : usize;
-  var _21 : ();
-  var _22 : bool;
-  var _23 : usize;
-  var _24 : usize;
-  var _25 : usize;
-  var _26 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _27 : borrowed (Type.creusat_decision_node);
-  var _28 : borrowed (Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global));
-  var _29 : usize;
-  var _30 : usize;
-  var _31 : borrowed (Type.creusat_decision_node);
-  var _32 : borrowed (Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global));
-  var _33 : usize;
-  var _34 : usize;
-  var _35 : borrowed (Type.creusat_decision_node);
-  var _36 : borrowed (Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global));
-  var _37 : usize;
-  var _38 : usize;
-  var _39 : bool;
-  var _40 : usize;
-  var _41 : usize;
-  var _42 : usize;
-  var _43 : usize;
-  var _44 : borrowed (Type.creusat_decision_node);
-  var _45 : borrowed (Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global));
-  var _46 : usize;
-  var _47 : usize;
-  var _48 : usize;
-  var _49 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _50 : usize;
-  var _51 : usize;
-  var _52 : borrowed (Type.creusat_decision_node);
-  var _53 : borrowed (Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global));
-  var _54 : usize;
-  var _55 : usize;
-  var _56 : usize;
-  var _57 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _58 : usize;
-  var _59 : usize;
-  var _60 : borrowed (Type.creusat_decision_node);
-  var _61 : borrowed (Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global));
-  var _62 : usize;
-  var _63 : usize;
-  var _64 : usize;
-  var _65 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _66 : usize;
-  var _67 : usize;
-  var _68 : borrowed (Type.creusat_decision_node);
-  var _69 : borrowed (Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global));
-  var _70 : usize;
-  var _71 : usize;
-  var _72 : usize;
-  var _73 : borrowed (Type.creusat_decision_node);
-  var _74 : borrowed (Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global));
-  var _75 : usize;
-  var _76 : ();
-  var _77 : ();
-  var _78 : ();
-  var _79 : Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global);
-  var _80 : usize;
-  var _81 : usize;
-  var _82 : usize;
-  var _83 : usize;
-  {
-    f_1 <- f;
-    lit_order_2 <- lit_order;
-    goto BB0
-  }
-  BB0 {
-    goto BB1
-  }
-  BB1 {
-    iNVALID'_3 <- (18446744073709551615 : usize);
-    _5 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 47 56 47 74] Default0.default ());
-    goto BB2
-  }
-  BB2 {
-    _6 <- Type.creusat_formula_formula_Formula_num_vars f_1;
-    linked_list_4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 47 41 47 87] FromElem0.from_elem _5 _6);
-    goto BB3
-  }
-  BB3 {
-    i_7 <- (0 : usize);
-    head_8 <- (0 : usize);
-    goto BB4
-  }
-  BB4 {
-    goto BB5
-  }
-  BB5 {
-    goto BB6
-  }
-  BB6 {
-    invariant len_ok { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 50 8 50 65] Seq.length (Model1.model linked_list_4) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1) };
-    invariant head_ok { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 51 8 51 50] UInt64.to_int head_8 < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1) };
-    invariant inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 52 8 54 103] forall j : (int) . 0 <= j && j < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1) -> (UInt64.to_int (Type.creusat_decision_node_Node_next (Seq.get (Model1.model linked_list_4) j)) = 18446744073709551615 || UInt64.to_int (Type.creusat_decision_node_Node_next (Seq.get (Model1.model linked_list_4) j)) < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1)) && (UInt64.to_int (Type.creusat_decision_node_Node_prev (Seq.get (Model1.model linked_list_4) j)) = 18446744073709551615 || UInt64.to_int (Type.creusat_decision_node_Node_prev (Seq.get (Model1.model linked_list_4) j)) < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1)) };
-    _12 <- i_7;
-    _13 <- Type.creusat_formula_formula_Formula_num_vars f_1;
-    _11 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 55 14 55 28] _12 < _13);
-    switch (_11)
-      | False -> goto BB30
-      | _ -> goto BB7
-      end
-  }
-  BB7 {
-    _16 <- lit_order_2;
-    _17 <- i_7;
-    _15 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 56 20 56 32] Index0.index _16 _17);
-    goto BB8
-  }
-  BB8 {
-    j_14 <- _15;
-    _20 <- i_7;
-    _19 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 57 15 57 21] _20 = (0 : usize));
-    switch (_19)
-      | False -> goto BB17
-      | _ -> goto BB9
-      end
-  }
-  BB9 {
-    _23 <- Type.creusat_formula_formula_Formula_num_vars f_1;
-    _22 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 58 19 58 33] _23 > (1 : usize));
-    switch (_22)
-      | False -> goto BB13
-      | _ -> goto BB10
-      end
-  }
-  BB10 {
-    _26 <- lit_order_2;
-    _25 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 59 42 59 54] Index0.index _26 (1 : usize));
-    goto BB11
-  }
-  BB11 {
-    _24 <- _25;
-    _28 <- borrow_mut linked_list_4;
-    linked_list_4 <-  ^ _28;
-    _29 <- j_14;
-    _27 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 59 20 59 34] IndexMut0.index_mut _28 _29);
-    goto BB12
-  }
-  BB12 {
-    _27 <- { _27 with current = (let Type.CreuSat_Decision_Node a b c =  * _27 in Type.CreuSat_Decision_Node _24 b c) };
-    assume { Resolve0.resolve _27 };
-    _21 <- ();
-    goto BB15
-  }
-  BB13 {
-    _30 <- iNVALID'_3;
-    _32 <- borrow_mut linked_list_4;
-    linked_list_4 <-  ^ _32;
-    _33 <- j_14;
-    _31 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 61 20 61 34] IndexMut0.index_mut _32 _33);
-    goto BB14
-  }
-  BB14 {
-    _31 <- { _31 with current = (let Type.CreuSat_Decision_Node a b c =  * _31 in Type.CreuSat_Decision_Node _30 b c) };
-    assume { Resolve0.resolve _31 };
-    _21 <- ();
-    goto BB15
-  }
-  BB15 {
-    _34 <- iNVALID'_3;
-    _36 <- borrow_mut linked_list_4;
-    linked_list_4 <-  ^ _36;
-    _37 <- j_14;
-    _35 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 63 16 63 30] IndexMut0.index_mut _36 _37);
-    goto BB16
-  }
-  BB16 {
-    _35 <- { _35 with current = (let Type.CreuSat_Decision_Node a b c =  * _35 in Type.CreuSat_Decision_Node a _34 c) };
-    assume { Resolve0.resolve _35 };
-    _38 <- j_14;
-    head_8 <- _38;
-    _18 <- ();
-    goto BB28
-  }
-  BB17 {
-    _40 <- i_7;
-    _42 <- Type.creusat_formula_formula_Formula_num_vars f_1;
-    _41 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 65 27 65 41] _42 - (1 : usize));
-    _39 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 65 22 65 41] _40 = _41);
-    switch (_39)
-      | False -> goto BB22
-      | _ -> goto BB18
-      end
-  }
-  BB18 {
-    _43 <- iNVALID'_3;
-    _45 <- borrow_mut linked_list_4;
-    linked_list_4 <-  ^ _45;
-    _46 <- j_14;
-    _44 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 66 16 66 30] IndexMut0.index_mut _45 _46);
-    goto BB19
-  }
-  BB19 {
-    _44 <- { _44 with current = (let Type.CreuSat_Decision_Node a b c =  * _44 in Type.CreuSat_Decision_Node _43 b c) };
-    assume { Resolve0.resolve _44 };
-    _49 <- lit_order_2;
-    _51 <- i_7;
-    _50 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 67 48 67 53] _51 - (1 : usize));
-    _48 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 67 38 67 54] Index0.index _49 _50);
-    goto BB20
-  }
-  BB20 {
-    _47 <- _48;
-    _53 <- borrow_mut linked_list_4;
-    linked_list_4 <-  ^ _53;
-    _54 <- j_14;
-    _52 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 67 16 67 30] IndexMut0.index_mut _53 _54);
-    goto BB21
-  }
-  BB21 {
-    _52 <- { _52 with current = (let Type.CreuSat_Decision_Node a b c =  * _52 in Type.CreuSat_Decision_Node a _47 c) };
-    assume { Resolve0.resolve _52 };
-    _18 <- ();
-    goto BB27
-  }
-  BB22 {
-    _57 <- lit_order_2;
-    _59 <- i_7;
-    _58 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 69 48 69 53] _59 + (1 : usize));
-    _56 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 69 38 69 54] Index0.index _57 _58);
-    goto BB23
-  }
-  BB23 {
-    _55 <- _56;
-    _61 <- borrow_mut linked_list_4;
-    linked_list_4 <-  ^ _61;
-    _62 <- j_14;
-    _60 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 69 16 69 30] IndexMut0.index_mut _61 _62);
-    goto BB24
-  }
-  BB24 {
-    _60 <- { _60 with current = (let Type.CreuSat_Decision_Node a b c =  * _60 in Type.CreuSat_Decision_Node _55 b c) };
-    assume { Resolve0.resolve _60 };
-    _65 <- lit_order_2;
-    _67 <- i_7;
-    _66 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 70 48 70 53] _67 - (1 : usize));
-    _64 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 70 38 70 54] Index0.index _65 _66);
-    goto BB25
-  }
-  BB25 {
-    _63 <- _64;
-    _69 <- borrow_mut linked_list_4;
-    linked_list_4 <-  ^ _69;
-    _70 <- j_14;
-    _68 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 70 16 70 30] IndexMut0.index_mut _69 _70);
-    goto BB26
-  }
-  BB26 {
-    _68 <- { _68 with current = (let Type.CreuSat_Decision_Node a b c =  * _68 in Type.CreuSat_Decision_Node a _63 c) };
-    assume { Resolve0.resolve _68 };
-    _18 <- ();
-    goto BB27
-  }
-  BB27 {
-    goto BB28
-  }
-  BB28 {
-    _71 <- Type.creusat_formula_formula_Formula_num_vars f_1;
-    _72 <- i_7;
-    _74 <- borrow_mut linked_list_4;
-    linked_list_4 <-  ^ _74;
-    _75 <- j_14;
-    _73 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 72 12 72 26] IndexMut0.index_mut _74 _75);
-    goto BB29
-  }
-  BB29 {
-    _73 <- { _73 with current = (let Type.CreuSat_Decision_Node a b c =  * _73 in Type.CreuSat_Decision_Node a b ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 72 12 72 46] _71 - _72)) };
-    assume { Resolve0.resolve _73 };
-    i_7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 73 12 73 18] i_7 + (1 : usize));
-    _10 <- ();
-    goto BB6
-  }
-  BB30 {
-    _9 <- ();
-    assume { Resolve1.resolve _79 };
-    _79 <- linked_list_4;
-    _81 <- Type.creusat_formula_formula_Formula_num_vars f_1;
-    _80 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 75 57 75 71] _81 + (1 : usize));
-    _82 <- head_8;
-    _83 <- head_8;
-    _0 <- Type.CreuSat_Decision_Decisions _79 _80 _82 _83;
-    goto BB31
-  }
-  BB31 {
-    goto BB32
-  }
-  BB32 {
-    goto BB33
-  }
-  BB33 {
-    assume { Resolve2.resolve lit_order_2 };
-    return _0
-  }
-  
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 62 4 67 5] (let (_, a) = f in a) = (let (_, a) = o in a) /\ Seq.length (let (a, _) = o in a) >= Seq.length (let (a, _) = f in a) /\ (forall i : (int) . 0 <= i /\ i < Seq.length (let (a, _) = f in a) -> Equals0.equals (Seq.get (let (a, _) = f in a) i) (Seq.get (let (a, _) = o in a) i))
 end
-module CreuSat_Logic_LogicUtil_SortedRangeRev_Interface
+module CreuSat_Logic_LogicFormula_Equisat_Interface
   use seq.Seq
+  use Type
   use mach.int.Int
-  use prelude.Prelude
-  use mach.int.UInt64
-  predicate sorted_range_rev (s : Seq.seq (usize, usize)) (l : int) (u : int)
+  predicate equisat (f : (Seq.seq (Type.creusat_clause_clause), int)) (o : (Seq.seq (Type.creusat_clause_clause), int))
 end
-module CreuSat_Logic_LogicUtil_SortedRangeRev
+module CreuSat_Logic_LogicFormula_Equisat
   use seq.Seq
+  use Type
   use mach.int.Int
-  use prelude.Prelude
-  use mach.int.UInt64
-  predicate sorted_range_rev [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 6 0 6 71] (s : Seq.seq (usize, usize)) (l : int) (u : int)
+  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss_Interface as EventuallySatCompleteNoAss0
+  predicate equisat [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 54 0 54 64] (f : (Seq.seq (Type.creusat_clause_clause), int)) (o : (Seq.seq (Type.creusat_clause_clause), int))
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 7 4 9 5] forall j : (int) . forall i : (int) . l <= i && i < j && j < u -> (let (a, _) = Seq.get s i in a) >= (let (a, _) = Seq.get s j in a)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 55 4 57 5] EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass f = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass o
 end
-module CreuSat_Logic_LogicUtil_SortedRev_Interface
+module CreuSat_Logic_LogicFormula_EquisatCompatibleInner_Interface
   use seq.Seq
+  use Type
   use mach.int.Int
-  use prelude.Prelude
-  use mach.int.UInt64
-  predicate sorted_rev (s : Seq.seq (usize, usize))
+  predicate equisat_compatible_inner (f : (Seq.seq (Type.creusat_clause_clause), int)) (o : (Seq.seq (Type.creusat_clause_clause), int))
+    
 end
-module CreuSat_Logic_LogicUtil_SortedRev
+module CreuSat_Logic_LogicFormula_EquisatCompatibleInner
   use seq.Seq
+  use Type
   use mach.int.Int
-  use prelude.Prelude
-  use mach.int.UInt64
-  use mach.int.Int32
-  clone CreuSat_Logic_LogicUtil_SortedRangeRev_Interface as SortedRangeRev0
-  predicate sorted_rev [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 13 0 13 49] (s : Seq.seq (usize, usize))
+  clone CreuSat_Logic_LogicFormula_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicFormula_Compatible_Interface as Compatible0
+  predicate equisat_compatible_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 71 0 71 81] (f : (Seq.seq (Type.creusat_clause_clause), int)) (o : (Seq.seq (Type.creusat_clause_clause), int))
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 14 4 16 5] SortedRangeRev0.sorted_range_rev s 0 (Seq.length s)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 72 4 74 5] Compatible0.compatible f o /\ Equisat0.equisat f o
 end
-module CreuSat_Logic_LogicUtil_PartitionRev_Interface
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.UInt64
-  predicate partition_rev (v : Seq.seq (usize, usize)) (i : int)
+module CreuSat_Logic_LogicFormula_Impl2_EquisatCompatible_Interface
+  use Type
+  predicate equisat_compatible (self : Type.creusat_formula_formula) (o : Type.creusat_formula_formula)
 end
-module CreuSat_Logic_LogicUtil_PartitionRev
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.UInt64
-  use mach.int.Int32
-  predicate partition_rev [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 53 0 53 60] (v : Seq.seq (usize, usize)) (i : int)
+module CreuSat_Logic_LogicFormula_Impl2_EquisatCompatible
+  use Type
+  clone CreuSat_Logic_LogicFormula_EquisatCompatibleInner_Interface as EquisatCompatibleInner0
+  clone CreuSat_Logic_LogicFormula_Impl0_Model_Interface as Model0
+  predicate equisat_compatible [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 101 4 101 55] (self : Type.creusat_formula_formula) (o : Type.creusat_formula_formula)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 54 4 54 110] forall k2 : (int) . forall k1 : (int) . 0 <= k1 && k1 < i && i <= k2 && k2 < Seq.length v -> (let (a, _) = Seq.get v k1 in a) >= (let (a, _) = Seq.get v k2 in a)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 102 8 102 57] EquisatCompatibleInner0.equisat_compatible_inner (Model0.model self) (Model0.model o)
 end
-module CreuSat_Util_SortReverse_Interface
-  use prelude.Prelude
+module CreuSat_Logic_LogicLit_Impl0_ToNegWatchidxLogic_Interface
   use Type
   use mach.int.Int
-  use mach.int.UInt64
-  clone CreusotContracts_Logic_Seq_Impl2_PermutationOf_Interface as PermutationOf0 with type t = (usize, usize)
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy0 with type t = (usize, usize),
-  type a = Type.alloc_alloc_global
-  clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model1 with type t = Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  clone CreuSat_Logic_LogicUtil_SortedRev_Interface as SortedRev0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = (usize, usize),
-  type a = Type.alloc_alloc_global, axiom .
-  val sort_reverse [@cfg:stackify] (v : borrowed (Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global))) : ()
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 11 0 11 27] SortedRev0.sorted_rev (Model0.model ( ^ v)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 12 0 12 36] PermutationOf0.permutation_of (Model0.model ( ^ v)) (Model1.model v) }
+  function to_neg_watchidx_logic [@inline:trivial] (self : Type.creusat_lit_lit) : int
+end
+module CreuSat_Logic_LogicLit_Impl0_ToNegWatchidxLogic
+  use Type
+  use mach.int.Int
+  use mach.int.Int32
+  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic_Interface as IsPositiveLogic0
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  function to_neg_watchidx_logic [@inline:trivial] [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 39 4 39 45] (self : Type.creusat_lit_lit) : int
     
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 40 8 40 91] IndexLogic0.index_logic self * 2 + (if IsPositiveLogic0.is_positive_logic self then
+      1
+    else
+      0
+    )
 end
-module CreuSat_Util_SortReverse
+module CreuSat_Lit_Impl1_ToNegWatchidx_Interface
+  use mach.int.Int
   use prelude.Prelude
+  use mach.int.UInt64
+  use mach.int.Int32
   use Type
-  use mach.int.Int
+  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic_Interface as IsPositiveLogic0
+  clone CreuSat_Logic_LogicLit_Impl0_ToNegWatchidxLogic_Interface as ToNegWatchidxLogic0
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  val to_neg_watchidx [@cfg:stackify] (self : Type.creusat_lit_lit) : usize
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 97 4 97 51] IndexLogic0.index_logic self < div 18446744073709551615 2}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 98 4 98 55] UInt64.to_int result = ToNegWatchidxLogic0.to_neg_watchidx_logic self }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 99 4 99 96] UInt64.to_int result = IndexLogic0.index_logic self * 2 + (if IsPositiveLogic0.is_positive_logic self then
+      1
+    else
+      0
+    ) }
+    
+end
+module CreuSat_Watches_Impl0_AddWatcher_Interface
   use mach.int.UInt64
   use seq.Seq
+  use mach.int.Int
+  use prelude.Prelude
   use mach.int.Int32
-  clone CreuSat_Logic_LogicUtil_PartitionRev as PartitionRev0
-  clone CreusotContracts_Logic_Seq_Impl2_PermutationOf as PermutationOf0 with type t = (usize, usize)
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy0 with type t = (usize, usize),
-  type a = Type.alloc_alloc_global
-  clone CreuSat_Logic_LogicUtil_SortedRangeRev as SortedRangeRev0
-  clone CreuSat_Logic_LogicUtil_SortedRev as SortedRev0 with predicate SortedRangeRev0.sorted_range_rev = SortedRangeRev0.sorted_range_rev
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = (usize, usize), type a = Type.alloc_alloc_global,
-  axiom .
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model1 with type t = Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model0.model
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global)
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = seq (usize, usize)
-  clone CreusotContracts_Std1_Slice_Impl0_Model as Model2 with type t = (usize, usize), axiom .
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = (usize, usize)
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model3 with type t = seq (usize, usize),
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model2.model
-  clone Core_Slice_Impl0_Swap_Interface as Swap0 with type t = (usize, usize), function Model0.model = Model3.model,
-  function Model1.model = Model2.model
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = (usize, usize)
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = (usize, usize)
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = (usize, usize)
-  clone Alloc_Vec_Impl11_DerefMut_Interface as DerefMut0 with type t = (usize, usize), type a = Type.alloc_alloc_global,
-  function Model0.model = Model2.model, function Model1.model = Model0.model
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = (usize, usize), type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model0.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = (usize, usize), type a = Type.alloc_alloc_global,
-  function Model0.model = Model0.model
-  let rec cfg sort_reverse [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 13 0 13 48] (v : borrowed (Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global))) : ()
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 11 0 11 27] SortedRev0.sorted_rev (Model0.model ( ^ v)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 12 0 12 36] PermutationOf0.permutation_of (Model0.model ( ^ v)) (Model1.model v) }
+  use Type
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model2
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicLit_Impl0_ToNegWatchidxLogic_Interface as ToNegWatchidxLogic0
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant0
+  val add_watcher [@cfg:stackify] (self : borrowed (Type.creusat_watches_watches)) (lit : Type.creusat_lit_lit) (cref : usize) (_f : Type.creusat_formula_formula) (blocker : Type.creusat_lit_lit) : ()
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 105 4 105 43] Invariant0.invariant' ( * self) _f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 106 4 106 44] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses _f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 107 4 107 50] IndexLogic0.index_logic lit < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 108 4 108 53] IndexLogic0.index_logic blocker < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 109 4 109 68] ToNegWatchidxLogic0.to_neg_watchidx_logic lit < Seq.length (Model1.model (Type.creusat_watches_watches_Watches_watches ( * self)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 110 4 110 50] Seq.length (Model2.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int cref))) > 1}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 105 4 105 43] Invariant0.invariant' ( ^ self) _f }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 111 4 111 65] Seq.length (Model1.model (Type.creusat_watches_watches_Watches_watches ( * self))) = Seq.length (Model1.model (Type.creusat_watches_watches_Watches_watches ( ^ self))) }
     
-   =
-  var _0 : ();
-  var v_1 : borrowed (Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global));
-  var i_2 : usize;
-  ghost var old_v_3 : borrowed (Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global));
-  var _4 : ();
-  var _5 : ();
-  var _6 : bool;
-  var _7 : usize;
-  var _8 : usize;
-  var _9 : Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global);
-  var max_10 : usize;
-  var j_11 : usize;
-  var _12 : usize;
-  var _13 : ();
-  var _14 : bool;
-  var _15 : usize;
-  var _16 : usize;
-  var _17 : Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global);
-  var _18 : ();
-  var _19 : bool;
-  var _20 : usize;
-  var _21 : (usize, usize);
-  var _22 : Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global);
-  var _23 : usize;
-  var _24 : usize;
-  var _25 : (usize, usize);
-  var _26 : Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global);
-  var _27 : usize;
-  var _28 : usize;
-  var _29 : ();
-  var _30 : ();
-  var _31 : ();
-  var _32 : ();
-  var _33 : borrowed (seq (usize, usize));
-  var _34 : borrowed (seq (usize, usize));
-  var _35 : borrowed (Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global));
-  var _36 : usize;
-  var _37 : usize;
-  var _38 : ();
-  var _39 : ();
-  var _40 : ();
-  {
-    v_1 <- v;
-    goto BB0
-  }
-  BB0 {
-    i_2 <- (0 : usize);
-    _4 <- ();
-    old_v_3 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 15 16 15 28] v_1);
-    goto BB1
-  }
-  BB1 {
-    goto BB2
-  }
-  BB2 {
-    invariant proph_const { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 16 4 16 51]  ^ v_1 =  ^ old_v_3 };
-    invariant permutation { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 17 4 17 67] PermutationOf0.permutation_of (Model1.model v_1) (Model0.model ( * old_v_3)) };
-    invariant i_bound { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 18 4 18 43] UInt64.to_int i_2 <= Seq.length (Model1.model v_1) };
-    invariant sorted { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 19 4 19 53] SortedRangeRev0.sorted_range_rev (Model1.model v_1) 0 (UInt64.to_int i_2) };
-    invariant partition { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 20 4 20 50] PartitionRev0.partition_rev (Model1.model v_1) (UInt64.to_int i_2) };
-    _7 <- i_2;
-    _9 <-  * v_1;
-    _8 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 21 14 21 21] Len0.len _9);
-    goto BB3
-  }
-  BB3 {
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 21 10 21 21] _7 < _8);
-    switch (_6)
-      | False -> goto BB16
-      | _ -> goto BB4
-      end
-  }
-  BB4 {
-    max_10 <- i_2;
-    _12 <- i_2;
-    j_11 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 23 20 23 25] _12 + (1 : usize));
-    goto BB5
-  }
-  BB5 {
-    invariant max_is_max { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 24 8 24 96] forall k : (int) . UInt64.to_int i_2 <= k && k < UInt64.to_int j_11 -> (let (a, _) = Seq.get (Model1.model v_1) (UInt64.to_int max_10) in a) >= (let (a, _) = Seq.get (Model1.model v_1) k in a) };
-    invariant j_bound { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 25 8 25 59] UInt64.to_int i_2 <= UInt64.to_int j_11 && UInt64.to_int j_11 <= Seq.length (Model1.model v_1) };
-    invariant max_bound { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 26 8 26 56] UInt64.to_int i_2 <= UInt64.to_int max_10 && UInt64.to_int max_10 < UInt64.to_int j_11 };
-    _15 <- j_11;
-    _17 <-  * v_1;
-    _16 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 27 18 27 25] Len0.len _17);
-    goto BB6
-  }
-  BB6 {
-    _14 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 27 14 27 25] _15 < _16);
-    switch (_14)
-      | False -> goto BB13
-      | _ -> goto BB7
-      end
-  }
-  BB7 {
-    _22 <-  * v_1;
-    _23 <- j_11;
-    _21 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 28 15 28 19] Index0.index _22 _23);
-    goto BB8
-  }
-  BB8 {
-    _20 <- (let (a, _) = _21 in a);
-    _26 <-  * v_1;
-    _27 <- max_10;
-    _25 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 28 24 28 30] Index0.index _26 _27);
-    goto BB9
-  }
-  BB9 {
-    _24 <- (let (a, _) = _25 in a);
-    _19 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 28 15 28 32] _20 > _24);
-    switch (_19)
-      | False -> goto BB11
-      | _ -> goto BB10
-      end
-  }
-  BB10 {
-    _28 <- j_11;
-    max_10 <- _28;
-    _18 <- ();
-    goto BB12
-  }
-  BB11 {
-    _18 <- ();
-    goto BB12
-  }
-  BB12 {
-    j_11 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 31 12 31 18] j_11 + (1 : usize));
-    _5 <- ();
-    goto BB5
-  }
-  BB13 {
-    _13 <- ();
-    _35 <- borrow_mut ( * v_1);
-    v_1 <- { v_1 with current = ( ^ _35) };
-    _34 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 33 8 33 22] DerefMut0.deref_mut _35);
-    goto BB14
-  }
-  BB14 {
-    _33 <- borrow_mut ( * _34);
-    _34 <- { _34 with current = ( ^ _33) };
-    _36 <- i_2;
-    _37 <- max_10;
-    _32 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 33 8 33 22] Swap0.swap _33 _36 _37);
-    goto BB15
-  }
-  BB15 {
-    assume { Resolve0.resolve _34 };
-    i_2 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 34 8 34 14] i_2 + (1 : usize));
-    _5 <- ();
-    goto BB2
-  }
-  BB16 {
-    assume { Resolve1.resolve v_1 };
-    _0 <- ();
-    return _0
-  }
-  
 end
-module CreuSat_Decision_Impl1_New_Interface
+module CreuSat_Formula_Impl2_AddClause_Interface
+  use seq.Seq
   use mach.int.Int
   use mach.int.Int32
   use mach.int.UInt64
   use prelude.Prelude
   use Type
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model2 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicClause_EquisatExtensionInner_Interface as EquisatExtensionInner0
+  clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model1 with type t = Type.creusat_formula_formula,
+  type ModelTy0.modelTy = ModelTy0.modelTy
+  clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant3
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
   axiom .
-  val new [@cfg:stackify] (f : Type.creusat_formula_formula) : Type.creusat_decision_decisions
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 79 4 79 30] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 80 4 80 63] 0 < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) && UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 81 4 81 45] Invariant1.invariant' result (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
+  val add_clause [@cfg:stackify] (self : borrowed (Type.creusat_formula_formula)) (clause : Type.creusat_clause_clause) (watches : borrowed (Type.creusat_watches_watches)) (_t : Type.creusat_trail_trail) : usize
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 110 4 110 40] Invariant0.invariant' ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 111 4 111 40] Invariant1.invariant' _t ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 112 4 112 51] Invariant2.invariant' ( * watches) ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 113 4 113 37] Seq.length (Model0.model clause) >= 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 114 4 114 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 117 4 117 49] Invariant3.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 118 4 118 55] EquisatExtensionInner0.equisat_extension_inner clause (Model1.model self)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 110 4 110 40] Invariant0.invariant' ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 111 4 111 40] Invariant1.invariant' _t ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 112 4 112 51] Invariant2.invariant' ( ^ watches) ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 119 4 119 51] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ self)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 120 4 120 35] Equisat0.equisat ( * self) ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 121 4 121 48] UInt64.to_int result = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * self))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 122 4 122 53] Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ self))) (UInt64.to_int result) = clause }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 123 4 123 69] Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * self))) + 1 = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ self))) }
     
 end
-module CreuSat_Decision_Impl1_New
+module CreuSat_Formula_Impl2_AddUnwatchedClause_Interface
+  use seq.Seq
   use mach.int.Int
   use mach.int.Int32
   use mach.int.UInt64
   use prelude.Prelude
   use Type
-  use seq.Seq
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant3 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant3.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_lit_lit,
+  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model2 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model6 with function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant2 with function Model0.model = Model6.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant2.invariant',
-  function Model0.model = Model6.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = (usize, usize), type a = Type.alloc_alloc_global,
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicClause_EquisatExtensionInner_Interface as EquisatExtensionInner0
+  clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model1 with type t = Type.creusat_formula_formula,
+  type ModelTy0.modelTy = ModelTy0.modelTy
+  clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant3
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
   axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model2 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model6.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
+  val add_unwatched_clause [@cfg:stackify] (self : borrowed (Type.creusat_formula_formula)) (clause : Type.creusat_clause_clause) (watches : borrowed (Type.creusat_watches_watches)) (_t : Type.creusat_trail_trail) : usize
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 144 4 144 40] Invariant0.invariant' ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 145 4 145 40] Invariant1.invariant' _t ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 146 4 146 51] Invariant2.invariant' ( * watches) ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 147 4 147 37] Seq.length (Model0.model clause) >= 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 148 4 148 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 151 4 151 49] Invariant3.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 152 4 152 55] EquisatExtensionInner0.equisat_extension_inner clause (Model1.model self)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 144 4 144 40] Invariant0.invariant' ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 145 4 145 40] Invariant1.invariant' _t ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 146 4 146 51] Invariant2.invariant' ( ^ watches) ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 153 4 153 51] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ self)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 154 4 154 35] Equisat0.equisat ( * self) ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 155 4 155 48] UInt64.to_int result = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * self))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 156 4 156 53] Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ self))) (UInt64.to_int result) = clause }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 157 4 157 69] Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * self))) + 1 = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ self))) }
+    
+end
+module CreuSat_Formula_Impl2_AddUnit_Interface
+  use seq.Seq
+  use mach.int.Int
+  use mach.int.Int32
+  use mach.int.UInt64
+  use prelude.Prelude
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model2 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model4 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model0.model,
-  predicate Invariant0.invariant' = Invariant2.invariant', function Model1.model = Model6.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model4.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_decision_node,
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicFormula_Impl2_EquisatCompatible_Interface as EquisatCompatible0
+  clone CreuSat_Logic_LogicClause_EquisatExtensionInner_Interface as EquisatExtensionInner0
+  clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model1 with type t = Type.creusat_formula_formula,
+  type ModelTy0.modelTy = ModelTy0.modelTy
+  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner_Interface as NoDuplicateIndexesInner0
+  clone CreuSat_Logic_LogicClause_VarsInRangeInner_Interface as VarsInRangeInner0
+  clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val add_unit [@cfg:stackify] (self : borrowed (Type.creusat_formula_formula)) (clause : Type.creusat_clause_clause) (_t : Type.creusat_trail_trail) : usize
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 168 4 168 40] Invariant0.invariant' ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 169 4 169 40] Invariant1.invariant' _t ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 170 4 170 37] Seq.length (Model0.model clause) = 1}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 171 4 171 49] Invariant2.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 172 4 172 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 173 4 173 61] VarsInRangeInner0.vars_in_range_inner (Model0.model clause) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 174 4 174 52] NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model0.model clause)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 175 4 175 55] EquisatExtensionInner0.equisat_extension_inner clause (Model1.model self)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 168 4 168 40] Invariant0.invariant' ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 169 4 169 40] Invariant1.invariant' _t ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 176 4 176 51] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ self)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 177 4 177 46] EquisatCompatible0.equisat_compatible ( * self) ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 178 4 178 35] Equisat0.equisat ( * self) ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 179 4 179 48] UInt64.to_int result = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * self))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 180 4 180 57] Seq.length (Model0.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ self))) (UInt64.to_int result))) = 1 }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 181 4 181 69] Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * self))) + 1 = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ self))) }
+    
+end
+module CreuSat_Logic_LogicFormula_Impl2_Sat_Interface
+  use Type
+  predicate sat (self : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
+end
+module CreuSat_Logic_LogicFormula_Impl2_Sat
+  use Type
+  clone CreuSat_Logic_LogicFormula_FormulaSatInner_Interface as FormulaSatInner0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model1
+  clone CreuSat_Logic_LogicFormula_Impl0_Model_Interface as Model0
+  predicate sat [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 157 4 157 44] (self : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 158 8 158 50] FormulaSatInner0.formula_sat_inner (Model0.model self) (Model1.model a)
+end
+module CreuSat_Formula_Impl2_IsSat_Interface
+  use prelude.Prelude
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_Sat_Interface as Sat0
+  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val is_sat [@cfg:stackify] (self : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments) : bool
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 192 4 192 33] Invariant0.invariant' self}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 193 4 193 35] Invariant1.invariant' a self}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 194 4 194 38] result = Sat0.sat self a }
+    
+end
+module CreuSat_Logic_LogicWatches_WatcherCrefsInRange_Interface
+  use seq.Seq
+  use Type
+  predicate watcher_crefs_in_range (w : Seq.seq (Type.creusat_watches_watcher)) (f : Type.creusat_formula_formula)
+end
+module CreuSat_Logic_LogicWatches_WatcherCrefsInRange
+  use seq.Seq
+  use Type
+  use mach.int.Int
+  use mach.int.Int32
+  use mach.int.UInt64
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant1 with function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicUtil_SortedRangeRev as SortedRangeRev0
-  clone CreuSat_Logic_LogicUtil_SortedRev as SortedRev0 with predicate SortedRangeRev0.sorted_range_rev = SortedRangeRev0.sorted_range_rev
-  clone CreusotContracts_Logic_Resolve_Impl2_Resolve as Resolve5 with type t = usize
-  clone CreusotContracts_Logic_Resolve_Impl0_Resolve as Resolve6 with type t1 = usize, type t2 = usize,
-  predicate Resolve0.resolve = Resolve5.resolve, predicate Resolve1.resolve = Resolve5.resolve
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy4 with type t = (usize, usize),
-  type a = Type.alloc_alloc_global
-  clone CreusotContracts_Logic_Seq_Impl2_PermutationOf as PermutationOf0 with type t = (usize, usize)
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = (usize, usize)
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy3 with type t = (usize, usize)
-  clone Core_Slice_Index_Impl2_Output as Output1 with type t = (usize, usize)
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere1 with type t = (usize, usize)
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue1 with type t = (usize, usize)
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds1 with type t = (usize, usize)
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy2 with type t = usize
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = usize
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy1
-  clone CreuSat_Lit_Impl1_Index_Interface as Index2 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model9 with type t = Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy4.modelTy, function Model0.model = Model3.model
-  clone CreuSat_Util_SortReverse_Interface as SortReverse0 with function Model0.model = Model3.model,
-  predicate SortedRev0.sorted_rev = SortedRev0.sorted_rev, function Model1.model = Model9.model,
-  predicate PermutationOf0.permutation_of = PermutationOf0.permutation_of
-  clone CreusotContracts_Std1_Vec_Impl1_Resolve as Resolve4 with type t = (usize, usize),
-  function Model0.model = Model3.model, predicate Resolve0.resolve = Resolve6.resolve
-  clone Alloc_Vec_Impl16_Index_Interface as Index4 with type t = (usize, usize), type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model3.model,
-  predicate InBounds0.in_bounds = InBounds1.in_bounds, predicate HasValue0.has_value = HasValue1.has_value,
-  type Output0.output = Output1.output
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut1 with type t = (usize, usize), type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model3.model,
-  predicate InBounds0.in_bounds = InBounds1.in_bounds, predicate HasValue0.has_value = HasValue1.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere1.resolve_elswhere, type Output0.output = Output1.output
-  clone Alloc_Vec_FromElem_Interface as FromElem1 with type t = (usize, usize), function Model0.model = Model3.model
-  clone CreuSat_Clause_Impl0_Index_Interface as Index1 with function Model0.model = Model2.model
-  clone CreuSat_Clause_Impl3_Len_Interface as Len1 with function Model0.model = Model2.model
-  clone CreusotContracts_Std1_Vec_Impl1_Resolve as Resolve3 with type t = usize, function Model0.model = Model1.model,
-  predicate Resolve0.resolve = Resolve5.resolve
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = usize, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model1.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  clone Alloc_Vec_Impl16_Index_Interface as Index3 with type t = usize, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model1.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  clone Alloc_Vec_FromElem_Interface as FromElem0 with type t = usize, function Model0.model = Model1.model
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, function Model0.model = Model0.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model8 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model4.model
-  clone CreuSat_Formula_Impl0_Index_Interface as Index0 with function Model0.model = Model8.model
-  clone CreuSat_Decision_Impl1_MakeLinkedList_Interface as MakeLinkedList0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  function Model0.model = Model1.model, predicate Invariant1.invariant' = Invariant1.invariant',
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg new [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 82 4 82 40] (f : Type.creusat_formula_formula) : Type.creusat_decision_decisions
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 79 4 79 30] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 80 4 80 63] 0 < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) && UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 81 4 81 45] Invariant1.invariant' result (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
+  predicate watcher_crefs_in_range [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 35 0 35 66] (w : Seq.seq (Type.creusat_watches_watcher)) (f : Type.creusat_formula_formula)
     
    =
-  var _0 : Type.creusat_decision_decisions;
-  var f_1 : Type.creusat_formula_formula;
-  var lit_order_2 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _3 : usize;
-  var counts_4 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _5 : usize;
-  var counts_with_index_6 : Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global);
-  var _7 : (usize, usize);
-  var _8 : usize;
-  var i_9 : usize;
-  var _10 : ();
-  var _11 : ();
-  var _12 : bool;
-  var _13 : usize;
-  var _14 : usize;
-  var _15 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var curr_clause_16 : Type.creusat_clause_clause;
-  var _17 : Type.creusat_clause_clause;
-  var _18 : Type.creusat_formula_formula;
-  var _19 : usize;
-  var j_20 : usize;
-  var _21 : ();
-  var _22 : bool;
-  var _23 : usize;
-  var _24 : usize;
-  var _25 : Type.creusat_clause_clause;
-  var _26 : ();
-  var _27 : bool;
-  var _28 : usize;
-  var _29 : usize;
-  var _30 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _31 : usize;
-  var _32 : Type.creusat_lit_lit;
-  var _33 : Type.creusat_lit_lit;
-  var _34 : Type.creusat_clause_clause;
-  var _35 : usize;
-  var _36 : usize;
-  var _37 : borrowed usize;
-  var _38 : borrowed (Type.alloc_vec_vec usize (Type.alloc_alloc_global));
-  var _39 : usize;
-  var _40 : Type.creusat_lit_lit;
-  var _41 : Type.creusat_lit_lit;
-  var _42 : Type.creusat_clause_clause;
-  var _43 : usize;
-  var _44 : ();
-  var _45 : ();
-  var _46 : ();
-  var _47 : ();
-  var _48 : ();
-  var _49 : ();
-  var _50 : ();
-  var _51 : bool;
-  var _52 : usize;
-  var _53 : usize;
-  var _54 : usize;
-  var _55 : usize;
-  var _56 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _57 : usize;
-  var _58 : usize;
-  var _59 : borrowed (usize, usize);
-  var _60 : borrowed (Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global));
-  var _61 : usize;
-  var _62 : ();
-  var _63 : ();
-  var _64 : ();
-  var _65 : ();
-  var _66 : borrowed (Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global));
-  var _67 : borrowed (Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global));
-  var _68 : ();
-  var _69 : ();
-  var _70 : bool;
-  var _71 : usize;
-  var _72 : usize;
-  var _73 : usize;
-  var _74 : (usize, usize);
-  var _75 : Type.alloc_vec_vec (usize, usize) (Type.alloc_alloc_global);
-  var _76 : usize;
-  var _77 : borrowed usize;
-  var _78 : borrowed (Type.alloc_vec_vec usize (Type.alloc_alloc_global));
-  var _79 : usize;
-  var _80 : ();
-  var _81 : ();
-  var _82 : ();
-  var _83 : Type.creusat_formula_formula;
-  var _84 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  {
-    f_1 <- f;
-    goto BB0
-  }
-  BB0 {
-    _3 <- Type.creusat_formula_formula_Formula_num_vars f_1;
-    lit_order_2 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 83 40 83 69] FromElem0.from_elem (0 : usize) _3);
-    goto BB1
-  }
-  BB1 {
-    _5 <- Type.creusat_formula_formula_Formula_num_vars f_1;
-    counts_4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 84 37 84 66] FromElem0.from_elem (0 : usize) _5);
-    goto BB2
-  }
-  BB2 {
-    _7 <- ((0 : usize), (0 : usize));
-    _8 <- Type.creusat_formula_formula_Formula_num_vars f_1;
-    counts_with_index_6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 85 57 85 91] FromElem1.from_elem _7 _8);
-    goto BB3
-  }
-  BB3 {
-    i_9 <- (0 : usize);
-    goto BB4
-  }
-  BB4 {
-    goto BB5
-  }
-  BB5 {
-    invariant i_bound { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 87 8 87 55] UInt64.to_int i_9 <= Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f_1)) };
-    invariant counts_len1 { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 88 8 88 65] Seq.length (Model1.model counts_4) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1) };
-    _13 <- i_9;
-    _15 <- Type.creusat_formula_formula_Formula_clauses f_1;
-    _14 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 89 18 89 33] Len0.len _15);
-    goto BB6
-  }
-  BB6 {
-    _12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 89 14 89 33] _13 < _14);
-    switch (_12)
-      | False -> goto BB23
-      | _ -> goto BB7
-      end
-  }
-  BB7 {
-    _18 <- f_1;
-    _19 <- i_9;
-    _17 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 90 31 90 35] Index0.index _18 _19);
-    goto BB8
-  }
-  BB8 {
-    curr_clause_16 <- _17;
-    j_20 <- (0 : usize);
-    goto BB9
-  }
-  BB9 {
-    goto BB10
-  }
-  BB10 {
-    invariant i_bound2 { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 92 12 92 60] UInt64.to_int i_9 <= Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f_1)) };
-    invariant j_bound { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 93 12 93 61] UInt64.to_int j_20 <= Seq.length (Model2.model curr_clause_16) };
-    invariant counts_len { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 94 12 94 68] Seq.length (Model1.model counts_4) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1) };
-    _23 <- j_20;
-    _25 <- curr_clause_16;
-    _24 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 95 22 95 39] Len1.len _25);
-    goto BB11
-  }
-  BB11 {
-    _22 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 95 18 95 39] _23 < _24);
-    switch (_22)
-      | False -> goto BB22
-      | _ -> goto BB12
-      end
-  }
-  BB12 {
-    _30 <- counts_4;
-    _34 <- curr_clause_16;
-    _35 <- j_20;
-    _33 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 98 26 98 40] Index1.index _34 _35);
-    goto BB13
-  }
-  BB13 {
-    _32 <- _33;
-    _31 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 98 26 98 48] Index2.index _32);
-    goto BB14
-  }
-  BB14 {
-    _29 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 98 19 98 49] Index3.index _30 _31);
-    goto BB15
-  }
-  BB15 {
-    _28 <- _29;
-    _36 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 98 52 98 66] (18446744073709551615 : usize) - (1 : usize));
-    _27 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 98 19 98 66] _28 < _36);
-    switch (_27)
-      | False -> goto BB20
-      | _ -> goto BB16
-      end
-  }
-  BB16 {
-    _38 <- borrow_mut counts_4;
-    counts_4 <-  ^ _38;
-    _42 <- curr_clause_16;
-    _43 <- j_20;
-    _41 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 99 27 99 41] Index1.index _42 _43);
-    goto BB17
-  }
-  BB17 {
-    _40 <- _41;
-    _39 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 99 27 99 49] Index2.index _40);
-    goto BB18
-  }
-  BB18 {
-    _37 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 99 20 99 50] IndexMut0.index_mut _38 _39);
-    goto BB19
-  }
-  BB19 {
-    _37 <- { _37 with current = ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 99 20 99 55]  * _37 + (1 : usize)) };
-    assume { Resolve0.resolve _37 };
-    _26 <- ();
-    goto BB21
-  }
-  BB20 {
-    _26 <- ();
-    goto BB21
-  }
-  BB21 {
-    j_20 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 101 16 101 22] j_20 + (1 : usize));
-    _11 <- ();
-    goto BB10
-  }
-  BB22 {
-    _21 <- ();
-    i_9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 103 12 103 18] i_9 + (1 : usize));
-    _11 <- ();
-    goto BB5
-  }
-  BB23 {
-    _10 <- ();
-    i_9 <- (0 : usize);
-    goto BB24
-  }
-  BB24 {
-    goto BB25
-  }
-  BB25 {
-    goto BB26
-  }
-  BB26 {
-    invariant i_bound { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 106 8 106 48] UInt64.to_int i_9 <= UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1) };
-    invariant counts_with_idx_len { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 107 8 107 84] Seq.length (Model3.model counts_with_index_6) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1) };
-    invariant second_ok { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 108 8 109 54] forall j : (int) . 0 <= j && j < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1) -> UInt64.to_int (let (_, a) = Seq.get (Model3.model counts_with_index_6) j in a) < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1) };
-    _52 <- i_9;
-    _53 <- Type.creusat_formula_formula_Formula_num_vars f_1;
-    _51 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 110 14 110 28] _52 < _53);
-    switch (_51)
-      | False -> goto BB30
-      | _ -> goto BB27
-      end
-  }
-  BB27 {
-    _56 <- counts_4;
-    _57 <- i_9;
-    _55 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 111 36 111 45] Index3.index _56 _57);
-    goto BB28
-  }
-  BB28 {
-    _54 <- _55;
-    _58 <- i_9;
-    _60 <- borrow_mut counts_with_index_6;
-    counts_with_index_6 <-  ^ _60;
-    _61 <- i_9;
-    _59 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 111 12 111 32] IndexMut1.index_mut _60 _61);
-    goto BB29
-  }
-  BB29 {
-    _59 <- { _59 with current = (_54, _58) };
-    assume { Resolve1.resolve _59 };
-    i_9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 112 12 112 18] i_9 + (1 : usize));
-    _11 <- ();
-    goto BB26
-  }
-  BB30 {
-    _50 <- ();
-    _67 <- borrow_mut counts_with_index_6;
-    counts_with_index_6 <-  ^ _67;
-    _66 <- borrow_mut ( * _67);
-    _67 <- { _67 with current = ( ^ _66) };
-    _65 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 114 8 114 44] SortReverse0.sort_reverse _66);
-    goto BB31
-  }
-  BB31 {
-    assume { Resolve2.resolve _67 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 115 8 116 53] forall j : (int) . 0 <= j && j < Seq.length (Model3.model counts_with_index_6) -> UInt64.to_int (let (_, a) = Seq.get (Model3.model counts_with_index_6) j in a) < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1) };
-    goto BB32
-  }
-  BB32 {
-    _68 <- ();
-    i_9 <- (0 : usize);
-    goto BB33
-  }
-  BB33 {
-    goto BB34
-  }
-  BB34 {
-    goto BB35
-  }
-  BB35 {
-    invariant i_bound { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 118 8 118 59] 0 <= UInt64.to_int i_9 && UInt64.to_int i_9 <= UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1) };
-    invariant lit_order_len { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 119 8 119 70] Seq.length (Model1.model lit_order_2) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1) };
-    invariant second_ok { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 120 8 121 44] forall j : (int) . 0 <= j && j < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1) -> UInt64.to_int (Seq.get (Model1.model lit_order_2) j) < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1) };
-    _71 <- i_9;
-    _72 <- Type.creusat_formula_formula_Formula_num_vars f_1;
-    _70 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 122 14 122 28] _71 < _72);
-    switch (_70)
-      | False -> goto BB39
-      | _ -> goto BB36
-      end
-  }
-  BB36 {
-    _75 <- counts_with_index_6;
-    _76 <- i_9;
-    _74 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 123 27 123 47] Index4.index _75 _76);
-    goto BB37
-  }
-  BB37 {
-    _73 <- (let (_, a) = _74 in a);
-    _78 <- borrow_mut lit_order_2;
-    lit_order_2 <-  ^ _78;
-    _79 <- i_9;
-    _77 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 123 12 123 24] IndexMut0.index_mut _78 _79);
-    goto BB38
-  }
-  BB38 {
-    _77 <- { _77 with current = _73 };
-    assume { Resolve0.resolve _77 };
-    i_9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 124 12 124 18] i_9 + (1 : usize));
-    _11 <- ();
-    goto BB35
-  }
-  BB39 {
-    _69 <- ();
-    _83 <- f_1;
-    assume { Resolve3.resolve _84 };
-    _84 <- lit_order_2;
-    _0 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 126 8 126 44] MakeLinkedList0.make_linked_list _83 _84);
-    goto BB40
-  }
-  BB40 {
-    goto BB41
-  }
-  BB41 {
-    assume { Resolve4.resolve counts_with_index_6 };
-    goto BB42
-  }
-  BB42 {
-    assume { Resolve3.resolve counts_4 };
-    goto BB43
-  }
-  BB43 {
-    return _0
-  }
-  
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 36 4 39 5] forall j : (int) . 0 <= j /\ j < Seq.length w -> UInt64.to_int (Type.creusat_watches_watcher_Watcher_cref (Seq.get w j)) < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))
 end
-module CreuSat_Logic_LogicAssignments_Impl1_Complete_Interface
-  use Type
-  predicate complete (self : Type.creusat_assignments_assignments)
+module CreuSat_Logic_LogicUtil_Pop_Interface
+  type t
+  use seq.Seq
+  use mach.int.Int
+  use mach.int.Int32
+  use seq_ext.SeqExt
+  function pop (s : Seq.seq t) : Seq.seq t
 end
-module CreuSat_Logic_LogicAssignments_Impl1_Complete
-  use Type
+module CreuSat_Logic_LogicUtil_Pop
+  type t
+  use seq.Seq
   use mach.int.Int
   use mach.int.Int32
+  use seq_ext.SeqExt
+  function pop [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 68 0 68 34] (s : Seq.seq t) : Seq.seq t =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 69 4 71 5] SeqExt.subsequence s 0 (Seq.length s - 1)
+  axiom pop_spec : forall s : Seq.seq t . ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 64 0 64 24] Seq.length s > 0) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 67 0 67 75] forall i : (int) . 0 <= i /\ i < Seq.length (pop s) -> Seq.get (pop s) i = Seq.get s i) && ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 66 0 66 39] Seq.length (pop s) = Seq.length s - 1) && ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 65 0 65 51] pop s = SeqExt.subsequence s 0 (Seq.length s - 1))
+end
+module CreuSat_Logic_LogicWatches_LemmaPopWatchMaintainsWatcherInvariant_Interface
   use seq.Seq
-  clone CreuSat_Logic_Logic_Unset_Interface as Unset0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
-  predicate complete [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_assignments.rs" 55 4 55 33] (self : Type.creusat_assignments_assignments)
+  use mach.int.Int
+  use mach.int.Int32
+  use Type
+  clone CreuSat_Logic_LogicUtil_Pop_Interface as Pop0 with type t = Type.creusat_watches_watcher, axiom .
+  clone CreuSat_Logic_LogicWatches_WatcherCrefsInRange_Interface as WatcherCrefsInRange0
+  function lemma_pop_watch_maintains_watcher_invariant (w : Seq.seq (Type.creusat_watches_watcher)) (f : Type.creusat_formula_formula) : ()
+    
+end
+module CreuSat_Logic_LogicWatches_LemmaPopWatchMaintainsWatcherInvariant
+  use seq.Seq
+  use mach.int.Int
+  use mach.int.Int32
+  use Type
+  clone CreuSat_Logic_LogicUtil_Pop_Interface as Pop0 with type t = Type.creusat_watches_watcher, axiom .
+  clone CreuSat_Logic_LogicWatches_WatcherCrefsInRange_Interface as WatcherCrefsInRange0
+  function lemma_pop_watch_maintains_watcher_invariant [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 55 0 55 79] (w : Seq.seq (Type.creusat_watches_watcher)) (f : Type.creusat_formula_formula) : ()
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_assignments.rs" 56 8 58 9] forall i : (int) . 0 <= i && i < Seq.length (Model0.model self) -> not Unset0.unset (Seq.get (Model0.model self) i)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 50 0 50 8] ()
+  axiom lemma_pop_watch_maintains_watcher_invariant_spec : forall w : Seq.seq (Type.creusat_watches_watcher), f : Type.creusat_formula_formula . ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 52 0 52 24] Seq.length w > 0) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 53 0 53 41] WatcherCrefsInRange0.watcher_crefs_in_range w f) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 54 0 54 45] WatcherCrefsInRange0.watcher_crefs_in_range (Pop0.pop w) f)
 end
-module CreuSat_Decision_Impl1_GetNext_Interface
+module CreuSat_Watches_Impl0_Unwatch_Interface
   use mach.int.UInt64
+  use mach.int.Int
+  use prelude.Prelude
+  use mach.int.Int32
+  use seq.Seq
   use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant0
+  val unwatch [@cfg:stackify] (self : borrowed (Type.creusat_watches_watches)) (f : Type.creusat_formula_formula) (trail : Type.creusat_trail_trail) (cref : usize) (lit : Type.creusat_lit_lit) : ()
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 155 4 155 42] Invariant0.invariant' ( * self) f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 156 4 156 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 157 4 157 48] IndexLogic0.index_logic lit < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 158 4 158 30] Invariant1.invariant' f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 159 4 159 36] Invariant2.invariant' trail f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 160 4 160 43] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 161 4 161 50] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) >= 2}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 155 4 155 42] Invariant0.invariant' ( ^ self) f }
+    
+end
+module CreuSat_Formula_Impl2_DeleteClause_Interface
+  use mach.int.UInt64
   use mach.int.Int
   use prelude.Prelude
+  use mach.int.Int32
   use seq.Seq
-  clone CreuSat_Logic_LogicAssignments_Impl1_Complete_Interface as Complete0
-  clone CreuSat_Logic_Logic_Unset_Interface as Unset0
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant0
-  val get_next [@cfg:stackify] (self : borrowed (Type.creusat_decision_decisions)) (a : Type.creusat_assignments_assignments) (_f : Type.creusat_formula_formula) : Type.core_option_option usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 232 4 232 52] Invariant0.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 233 4 233 33] Invariant1.invariant' a _f}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 232 4 232 52] Invariant0.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 234 4 237 7] match (result) with
-      | Type.Core_Option_Option_Some k -> UInt64.to_int k < Seq.length (Model0.model a) && Unset0.unset (Seq.get (Model0.model a) (UInt64.to_int k))
-      | Type.Core_Option_Option_None -> Complete0.complete a
-      end }
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant0
+  val delete_clause [@cfg:stackify] (self : borrowed (Type.creusat_formula_formula)) (cref : usize) (watches : borrowed (Type.creusat_watches_watches)) (t : Type.creusat_trail_trail) : ()
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 208 4 208 51] Invariant0.invariant' ( * watches) ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 209 4 209 40] Invariant1.invariant' ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 210 4 210 42] Invariant2.invariant' t ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 211 4 211 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 212 4 212 52] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * self))) (UInt64.to_int cref))) > 1}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 213 4 213 46] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * self)))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 208 4 208 51] Invariant0.invariant' ( ^ watches) ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 209 4 209 40] Invariant1.invariant' ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 210 4 210 42] Invariant2.invariant' t ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 214 4 214 35] Equisat0.equisat ( * self) ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 215 4 215 49] Type.creusat_formula_formula_Formula_num_vars ( * self) = Type.creusat_formula_formula_Formula_num_vars ( ^ self) }
     
 end
-module CreuSat_Decision_Impl1_GetNext
+module CreuSat_Formula_Impl2_DeleteClauses_Interface
   use mach.int.UInt64
+  use mach.int.Int
+  use prelude.Prelude
+  use mach.int.Int32
   use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val delete_clauses [@cfg:stackify] (self : borrowed (Type.creusat_formula_formula)) (watches : borrowed (Type.creusat_watches_watches)) (t : Type.creusat_trail_trail) : ()
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 229 4 229 40] Invariant0.invariant' ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 230 4 230 51] Invariant1.invariant' ( * watches) ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 231 4 231 42] Invariant2.invariant' t ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 232 4 232 35] Invariant2.invariant' t ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 233 4 233 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 229 4 229 40] Invariant0.invariant' ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 230 4 230 51] Invariant1.invariant' ( ^ watches) ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 231 4 231 42] Invariant2.invariant' t ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 234 4 234 49] Type.creusat_formula_formula_Formula_num_vars ( * self) = Type.creusat_formula_formula_Formula_num_vars ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 235 4 235 35] Equisat0.equisat ( * self) ( ^ self) }
+    
+end
+module CreuSat_Formula_Impl2_SimplifyFormula_Interface
+  use mach.int.UInt64
   use mach.int.Int
   use prelude.Prelude
-  use seq.Seq
   use mach.int.Int32
-  use prelude.UInt8
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model2 with function Model0.model = Model3.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant1 with function Model0.model = Model2.model
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_Impl1_Complete as Complete0 with function Model0.model = Model2.model,
-  predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model2.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.creusat_decision_node,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant0 with function Model0.model = Model1.model
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_decision_decisions
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = Type.creusat_decision_node
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.creusat_decision_node
-  clone CreuSat_Assignments_Impl2_Len_Interface as Len0 with function Model0.model = Model0.model
-  clone CreuSat_Assignments_Impl0_Index_Interface as Index0 with function Model0.model = Model0.model
-  clone Alloc_Vec_Impl16_Index_Interface as Index1 with type t = Type.creusat_decision_node, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model1.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  let rec cfg get_next [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 238 4 238 78] (self : borrowed (Type.creusat_decision_decisions)) (a : Type.creusat_assignments_assignments) (_f : Type.creusat_formula_formula) : Type.core_option_option usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 232 4 232 52] Invariant0.invariant' ( * self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 233 4 233 33] Invariant1.invariant' a _f}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 232 4 232 52] Invariant0.invariant' ( ^ self) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 234 4 237 7] match (result) with
-      | Type.Core_Option_Option_Some k -> UInt64.to_int k < Seq.length (Model0.model a) && Unset0.unset (Seq.get (Model0.model a) (UInt64.to_int k))
-      | Type.Core_Option_Option_None -> Complete0.complete a
-      end }
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val simplify_formula [@cfg:stackify] (self : borrowed (Type.creusat_formula_formula)) (watches : borrowed (Type.creusat_watches_watches)) (t : Type.creusat_trail_trail) : ()
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 262 4 262 40] Invariant0.invariant' ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 263 4 263 51] Invariant1.invariant' ( * watches) ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 264 4 264 42] Invariant2.invariant' t ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 265 4 265 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 262 4 262 40] Invariant0.invariant' ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 263 4 263 51] Invariant1.invariant' ( ^ watches) ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 264 4 264 42] Invariant2.invariant' t ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 266 4 266 49] Type.creusat_formula_formula_Formula_num_vars ( * self) = Type.creusat_formula_formula_Formula_num_vars ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 267 4 267 35] Equisat0.equisat ( * self) ( ^ self) }
+    
+end
+module CreuSat_Formula_Impl2_ReduceDb_Interface
+  use mach.int.UInt64
+  use mach.int.Int
+  use prelude.Prelude
+  use mach.int.Int32
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val reduceDB [@cfg:stackify] (self : borrowed (Type.creusat_formula_formula)) (watches : borrowed (Type.creusat_watches_watches)) (t : Type.creusat_trail_trail) (s : borrowed (Type.creusat_solver_solver)) : ()
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 275 4 275 40] Invariant0.invariant' ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 276 4 276 51] Invariant1.invariant' ( * watches) ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 277 4 277 42] Invariant2.invariant' t ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 278 4 278 33] Invariant0.invariant' ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 279 4 279 35] Invariant2.invariant' t ( * self)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 280 4 280 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 275 4 275 40] Invariant0.invariant' ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 276 4 276 51] Invariant1.invariant' ( ^ watches) ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 277 4 277 42] Invariant2.invariant' t ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 281 4 281 49] Type.creusat_formula_formula_Formula_num_vars ( * self) = Type.creusat_formula_formula_Formula_num_vars ( ^ self) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/formula.rs" 282 4 282 35] Equisat0.equisat ( * self) ( ^ self) }
+    
+end
+module CreuSat_Lit_Impl4_Clone_Interface
+  use prelude.Prelude
+  use Type
+  val clone' [@cfg:stackify] (self : Type.creusat_lit_lit) : Type.creusat_lit_lit
+end
+module CreuSat_Lit_Impl0_Model_Interface
+  use Type
+  function model (self : Type.creusat_lit_lit) : Type.creusat_lit_lit
+end
+module CreuSat_Lit_Impl0_Model
+  use Type
+  function model [#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 22 4 22 26] (self : Type.creusat_lit_lit) : Type.creusat_lit_lit
     
    =
-  var _0 : Type.core_option_option usize;
-  var self_1 : borrowed (Type.creusat_decision_decisions);
-  var a_2 : Type.creusat_assignments_assignments;
-  var _f_3 : Type.creusat_formula_formula;
-  var iNVALID'_4 : usize;
-  var curr_5 : usize;
-  var _6 : ();
-  var _7 : ();
-  var _8 : bool;
-  var _9 : usize;
-  var _10 : usize;
-  var _11 : ();
-  var _12 : bool;
-  var _13 : uint8;
-  var _14 : uint8;
-  var _15 : Type.creusat_assignments_assignments;
-  var _16 : usize;
-  var _17 : ();
-  var _18 : usize;
-  var _19 : Type.creusat_decision_node;
-  var _20 : Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global);
-  var _21 : usize;
-  var _22 : usize;
-  var _23 : usize;
-  var _24 : Type.creusat_decision_node;
-  var _25 : Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global);
-  var _26 : usize;
-  var _27 : ();
-  var _28 : ();
-  var _29 : ();
-  var i_30 : usize;
-  var _31 : ();
-  var _32 : bool;
-  var _33 : usize;
-  var _34 : usize;
-  var _35 : Type.creusat_assignments_assignments;
-  var _36 : ();
-  var _37 : bool;
-  var _38 : uint8;
-  var _39 : uint8;
-  var _40 : Type.creusat_assignments_assignments;
-  var _41 : usize;
-  var _42 : ();
-  var _43 : usize;
-  var _44 : ();
-  var _45 : ();
-  var _46 : ();
-  {
-    self_1 <- self;
-    a_2 <- a;
-    _f_3 <- _f;
-    goto BB0
-  }
-  BB0 {
-    iNVALID'_4 <- (18446744073709551615 : usize);
-    curr_5 <- Type.creusat_decision_decisions_Decisions_search ( * self_1);
-    goto BB1
-  }
-  BB1 {
-    invariant inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 241 8 241 67] curr_5 = (18446744073709551615 : usize) || UInt64.to_int curr_5 < Seq.length (Model0.model a_2) };
-    _9 <- curr_5;
-    _10 <- iNVALID'_4;
-    _8 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 242 14 242 29] _9 <> _10);
-    switch (_8)
-      | False -> goto BB8
-      | _ -> goto BB2
-      end
-  }
-  BB2 {
-    _15 <- a_2;
-    _16 <- curr_5;
-    _14 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 243 15 243 22] Index0.index _15 _16);
-    goto BB3
-  }
-  BB3 {
-    _13 <- _14;
-    _12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 243 15 243 27] _13 >= (2 : uint8));
-    switch (_12)
-      | False -> goto BB6
-      | _ -> goto BB4
-      end
-  }
-  BB4 {
-    _20 <- Type.creusat_decision_decisions_Decisions_linked_list ( * self_1);
-    _21 <- curr_5;
-    _19 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 244 30 244 52] Index1.index _20 _21);
-    goto BB5
-  }
-  BB5 {
-    _18 <- Type.creusat_decision_node_Node_next _19;
-    self_1 <- { self_1 with current = (let Type.CreuSat_Decision_Decisions a b c d =  * self_1 in Type.CreuSat_Decision_Decisions a b c _18) };
-    assume { Resolve0.resolve self_1 };
-    _22 <- curr_5;
-    _0 <- Type.Core_Option_Option_Some _22;
-    goto BB16
-  }
-  BB6 {
-    _11 <- ();
-    _25 <- Type.creusat_decision_decisions_Decisions_linked_list ( * self_1);
-    _26 <- curr_5;
-    _24 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 247 19 247 41] Index1.index _25 _26);
-    goto BB7
-  }
-  BB7 {
-    _23 <- Type.creusat_decision_node_Node_next _24;
-    curr_5 <- _23;
-    _7 <- ();
-    goto BB1
-  }
-  BB8 {
-    assume { Resolve0.resolve self_1 };
-    _6 <- ();
-    i_30 <- (0 : usize);
-    goto BB9
-  }
-  BB9 {
-    invariant prev { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 252 8 252 79] forall j : (int) . 0 <= j && j < UInt64.to_int i_30 -> not Unset0.unset (Seq.get (Model0.model a_2) j) };
-    _33 <- i_30;
-    _35 <- a_2;
-    _34 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 253 18 253 25] Len0.len _35);
-    goto BB10
-  }
-  BB10 {
-    _32 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 253 14 253 25] _33 < _34);
-    switch (_32)
-      | False -> goto BB15
-      | _ -> goto BB11
-      end
-  }
-  BB11 {
-    _40 <- a_2;
-    _41 <- i_30;
-    _39 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 254 15 254 19] Index0.index _40 _41);
-    goto BB12
-  }
-  BB12 {
-    _38 <- _39;
-    _37 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 254 15 254 24] _38 >= (2 : uint8));
-    switch (_37)
-      | False -> goto BB14
-      | _ -> goto BB13
-      end
-  }
-  BB13 {
-    _43 <- i_30;
-    _0 <- Type.Core_Option_Option_Some _43;
-    goto BB16
-  }
-  BB14 {
-    _36 <- ();
-    i_30 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/decision.rs" 257 12 257 18] i_30 + (1 : usize));
-    _7 <- ();
-    goto BB9
-  }
-  BB15 {
-    _31 <- ();
-    _0 <- Type.Core_Option_Option_None;
-    goto BB17
-  }
-  BB16 {
-    goto BB17
-  }
-  BB17 {
-    return _0
-  }
-  
+    [#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 23 8 23 12] self
 end
-module CreuSat_Formula_Impl1_IndexMut_Interface
-  use mach.int.UInt64
+module CreuSat_Lit_Impl1_LitSet_Interface
   use seq.Seq
+  use Type
+  use prelude.Prelude
+  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicLit_Impl1_Unset_Interface as Unset0
+  clone CreuSat_Logic_LogicLit_Impl1_Invariant_Interface as Invariant0
+  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_assignments_assignments,
+  type ModelTy0.modelTy = ModelTy0.modelTy
+  val lit_set [@cfg:stackify] (self : Type.creusat_lit_lit) (a : Type.creusat_assignments_assignments) : bool
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 81 4 81 43] Invariant0.invariant' self (Seq.length (Model0.model a))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 82 4 82 41] result = (not Unset0.unset self a) }
+    
+end
+module CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic_Interface
+  use Type
+  use mach.int.Int
+  function to_watchidx_logic [@inline:trivial] (self : Type.creusat_lit_lit) : int
+end
+module CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic
+  use Type
   use mach.int.Int
   use mach.int.Int32
+  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic_Interface as IsPositiveLogic0
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  function to_watchidx_logic [@inline:trivial] [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 33 4 33 41] (self : Type.creusat_lit_lit) : int
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 34 8 34 91] IndexLogic0.index_logic self * 2 + (if IsPositiveLogic0.is_positive_logic self then
+      0
+    else
+      1
+    )
+end
+module CreuSat_Lit_Impl1_ToWatchidx_Interface
+  use mach.int.Int
   use prelude.Prelude
+  use mach.int.UInt64
+  use mach.int.Int32
   use Type
-  clone CreuSat_Logic_LogicFormula_Impl0_Model_Interface as Model1
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model0 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  val index_mut [@cfg:stackify] (self : borrowed (Type.creusat_formula_formula)) (ix : usize) : borrowed (Type.creusat_clause_clause)
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 43 4 43 38] UInt64.to_int ix < Seq.length (let (a, _) = Model0.model self in a)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 44 4 44 42] Seq.get (let (a, _) = Model1.model ( * self) in a) (UInt64.to_int ix) =  * result }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 45 4 45 42] Seq.get (let (a, _) = Model1.model ( ^ self) in a) (UInt64.to_int ix) =  ^ result }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 46 4 46 107] forall i : (int) . 0 <= i && i <> UInt64.to_int ix && i < Seq.length (let (a, _) = Model0.model self in a) -> Seq.get (let (a, _) = Model0.model self in a) i = Seq.get (let (a, _) = Model1.model ( ^ self) in a) i }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 47 4 47 52] Seq.length (let (a, _) = Model1.model ( ^ self) in a) = Seq.length (let (a, _) = Model1.model ( * self) in a) }
+  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic_Interface as IsPositiveLogic0
+  clone CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic_Interface as ToWatchidxLogic0
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  val to_watchidx [@cfg:stackify] (self : Type.creusat_lit_lit) : usize
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 89 4 89 51] IndexLogic0.index_logic self < div 18446744073709551615 2}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 90 4 90 51] UInt64.to_int result = ToWatchidxLogic0.to_watchidx_logic self }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 91 4 91 96] UInt64.to_int result = IndexLogic0.index_logic self * 2 + (if IsPositiveLogic0.is_positive_logic self then
+      0
+    else
+      1
+    ) }
     
 end
-module CreuSat_Formula_Impl1_IndexMut
+module CreuSat_Lit_Impl1_PhaseSaved_Interface
   use mach.int.UInt64
   use seq.Seq
   use mach.int.Int
+  use prelude.UInt8
   use mach.int.Int32
   use prelude.Prelude
   use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model1 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model0 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = Type.creusat_clause_clause
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_formula_formula
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = Type.creusat_clause_clause, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model2.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  let rec cfg index_mut [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 48 4 48 53] (self : borrowed (Type.creusat_formula_formula)) (ix : usize) : borrowed (Type.creusat_clause_clause)
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 43 4 43 38] UInt64.to_int ix < Seq.length (let (a, _) = Model0.model self in a)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 44 4 44 42] Seq.get (let (a, _) = Model1.model ( * self) in a) (UInt64.to_int ix) =  * result }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 45 4 45 42] Seq.get (let (a, _) = Model1.model ( ^ self) in a) (UInt64.to_int ix) =  ^ result }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 46 4 46 107] forall i : (int) . 0 <= i && i <> UInt64.to_int ix && i < Seq.length (let (a, _) = Model0.model self in a) -> Seq.get (let (a, _) = Model0.model self in a) i = Seq.get (let (a, _) = Model1.model ( ^ self) in a) i }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 47 4 47 52] Seq.length (let (a, _) = Model1.model ( ^ self) in a) = Seq.length (let (a, _) = Model1.model ( * self) in a) }
+  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic_Interface as IsPositiveLogic0
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_assignments_assignments,
+  type ModelTy0.modelTy = ModelTy0.modelTy
+  val phase_saved [@cfg:stackify] (idx : usize) (assignments : Type.creusat_assignments_assignments) : Type.creusat_lit_lit
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 105 4 105 44] UInt64.to_int idx < Seq.length (Model0.model assignments)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 106 4 106 44] IndexLogic0.index_logic result = UInt64.to_int idx }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 107 4 107 74] IsPositiveLogic0.is_positive_logic result = (UInt8.to_int (Seq.get (Model0.model assignments) (UInt64.to_int idx)) = 1) }
     
-   =
-  var _0 : borrowed (Type.creusat_clause_clause);
-  var self_1 : borrowed (Type.creusat_formula_formula);
-  var ix_2 : usize;
-  var _3 : borrowed (Type.creusat_clause_clause);
-  var _4 : borrowed (Type.creusat_clause_clause);
-  var _5 : borrowed (Type.creusat_clause_clause);
-  var _6 : borrowed (Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global));
-  var _7 : usize;
-  {
-    self_1 <- self;
-    ix_2 <- ix;
-    goto BB0
-  }
-  BB0 {
-    _6 <- borrow_mut (Type.creusat_formula_formula_Formula_clauses ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Formula_Formula a b =  * self_1 in Type.CreuSat_Formula_Formula ( ^ _6) b) };
-    assume { Resolve0.resolve self_1 };
-    _7 <- ix_2;
-    _5 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 54 13 54 29] IndexMut0.index_mut _6 _7);
-    goto BB1
-  }
-  BB1 {
-    _4 <- borrow_mut ( * _5);
-    _5 <- { _5 with current = ( ^ _4) };
-    assume { Resolve1.resolve _5 };
-    _3 <- borrow_mut ( * _4);
-    _4 <- { _4 with current = ( ^ _3) };
-    assume { Resolve1.resolve _4 };
-    _0 <- borrow_mut ( * _3);
-    _3 <- { _3 with current = ( ^ _0) };
-    assume { Resolve1.resolve _3 };
-    return _0
-  }
-  
 end
-module CreuSat_Formula_Impl2_CheckFormulaInvariant_Interface
+module CreuSat_Lit_Impl2_Eq_Interface
+  use prelude.Prelude
+  use Type
+  val eq [@cfg:stackify] (self : Type.creusat_lit_lit) (other : Type.creusat_lit_lit) : bool
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 120 4 120 41] result = (self = other) }
+    
+end
+module CreuSat_Lit_Impl3_Not_Interface
+  use Type
+  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic_Interface as IsPositiveLogic0
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  val not' [@cfg:stackify] (self : Type.creusat_lit_lit) : Type.creusat_lit_lit
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 132 4 132 58] IndexLogic0.index_logic result = IndexLogic0.index_logic self }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/lit.rs" 133 4 133 71] IsPositiveLogic0.is_positive_logic result = (not IsPositiveLogic0.is_positive_logic self) }
+    
+end
+module CreuSat_Logic_Logic_Inner_Impl0_SatisfiesClause_Interface
+  use Type
+  use seq.Seq
+  predicate satisfies_clause (self : Type.creusat_logic_logic_inner_m) (cl : Seq.seq (Type.creusat_lit_lit))
+end
+module CreuSat_Logic_Logic_Inner_Impl0_SatisfiesClause
   use Type
+  use seq.Seq
   use mach.int.Int
   use mach.int.Int32
   use mach.int.UInt64
-  use prelude.Prelude
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable_Interface as NotSatisfiable0
-  clone CreuSat_Logic_LogicFormula_FormulaSatInner_Interface as FormulaSatInner0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = uint8, type a = Type.alloc_alloc_global,
-  axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  val check_formula_invariant [@cfg:stackify] (self : Type.creusat_formula_formula) : Type.creusat_solver_satresult
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 60 4 65 7] match (result) with
-      | Type.CreuSat_Solver_SatResult_Sat assn -> FormulaSatInner0.formula_sat_inner (Model0.model self) (Model1.model assn)
-      | Type.CreuSat_Solver_SatResult_Unsat -> NotSatisfiable0.not_satisfiable self
-      | Type.CreuSat_Solver_SatResult_Unknown -> Invariant0.invariant' self && 0 < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars self) && UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars self) < div 18446744073709551615 2
-      | Type.CreuSat_Solver_SatResult_Err -> true
-      end }
+  use map.Map
+  predicate satisfies_clause [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 17 8 17 55] (self : Type.creusat_logic_logic_inner_m) (cl : Seq.seq (Type.creusat_lit_lit))
     
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 18 12 20 13] exists i : (int) . 0 <= i /\ i < Seq.length cl /\ Map.get (Type.creusat_logic_logic_inner_m_M_0 self) (UInt64.to_int (Type.creusat_lit_lit_Lit_idx (Seq.get cl i))) = Type.creusat_lit_lit_Lit_polarity (Seq.get cl i)
 end
-module CreuSat_Formula_Impl2_CheckFormulaInvariant
+module CreuSat_Logic_Logic_Inner_Impl0_Satisfies_Interface
   use Type
+  use seq.Seq
+  predicate satisfies (self : Type.creusat_logic_logic_inner_m) (fml : Seq.seq (Seq.seq (Type.creusat_lit_lit)))
+end
+module CreuSat_Logic_Logic_Inner_Impl0_Satisfies
+  use Type
+  use seq.Seq
   use mach.int.Int
   use mach.int.Int32
-  use mach.int.UInt64
-  use prelude.Prelude
+  clone CreuSat_Logic_Logic_Inner_Impl0_SatisfiesClause_Interface as SatisfiesClause0
+  predicate satisfies [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 24 8 24 54] (self : Type.creusat_logic_logic_inner_m) (fml : Seq.seq (Seq.seq (Type.creusat_lit_lit)))
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 25 12 27 13] forall c : (int) . 0 <= c /\ c < Seq.length fml -> SatisfiesClause0.satisfies_clause self (Seq.get fml c)
+end
+module CreuSat_Logic_LogicFormula_Impl1_RealModel_Interface
+  use Type
   use seq.Seq
-  use prelude.UInt8
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant2 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant2.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model3 with function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner0 with function Model0.model = Model3.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant1 with function Model0.model = Model3.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant1.invariant',
-  function Model0.model = Model3.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model2.model,
-  predicate Invariant0.invariant' = Invariant1.invariant', function Model1.model = Model3.model
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model4 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicClause_Impl2_EquisatExtension as EquisatExtension0 with function Model0.model = Model4.model,
-  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable as NotSatisfiable0 with function Model0.model = Model3.model,
-  predicate EquisatExtension0.equisat_extension = EquisatExtension0.equisat_extension
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model4.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model4.model
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy2
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = Type.creusat_clause_clause
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model6 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy2.modelTy, function Model0.model = Model3.model
-  clone CreuSat_Clause_Impl3_Len_Interface as Len1 with function Model0.model = Model6.model
-  clone CreuSat_Clause_Impl3_CheckClauseInvariant_Interface as CheckClauseInvariant0 with predicate Invariant0.invariant' = Invariant1.invariant'
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = Type.creusat_clause_clause, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model2.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, function Model0.model = Model2.model
-  clone Alloc_Vec_Impl0_New_Interface as New0 with type t = uint8, function Model0.model = Model1.model
-  let rec cfg check_formula_invariant [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 66 4 66 54] (self : Type.creusat_formula_formula) : Type.creusat_solver_satresult
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 60 4 65 7] match (result) with
-      | Type.CreuSat_Solver_SatResult_Sat assn -> FormulaSatInner0.formula_sat_inner (Model0.model self) (Model1.model assn)
-      | Type.CreuSat_Solver_SatResult_Unsat -> NotSatisfiable0.not_satisfiable self
-      | Type.CreuSat_Solver_SatResult_Unknown -> Invariant0.invariant' self && 0 < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars self) && UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars self) < div 18446744073709551615 2
-      | Type.CreuSat_Solver_SatResult_Err -> true
-      end }
+  function real_model (self : Type.creusat_formula_formula) : Seq.seq (Seq.seq (Type.creusat_lit_lit))
+end
+module CreuSat_Logic_LogicFormula_Impl1_RealModel
+  use Type
+  use seq.Seq
+  function real_model [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 22 4 22 44] (self : Type.creusat_formula_formula) : Seq.seq (Seq.seq (Type.creusat_lit_lit))
     
    =
-  var _0 : Type.creusat_solver_satresult;
-  var self_1 : Type.creusat_formula_formula;
-  var _2 : ();
-  var _3 : bool;
-  var _4 : usize;
-  var _5 : usize;
-  var _6 : bool;
-  var _7 : ();
-  var _8 : ();
-  var _9 : bool;
-  var _10 : usize;
-  var _11 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _12 : ();
-  var _13 : Type.alloc_vec_vec uint8 (Type.alloc_alloc_global);
-  var _14 : ();
-  var _15 : bool;
-  var _16 : usize;
-  var _17 : ();
-  var i_18 : usize;
-  var _19 : ();
-  var _20 : ();
-  var _21 : bool;
-  var _22 : usize;
-  var _23 : usize;
-  var _24 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _25 : ();
-  var _26 : bool;
-  var _27 : bool;
-  var _28 : Type.creusat_clause_clause;
-  var _29 : Type.creusat_clause_clause;
-  var _30 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _31 : usize;
-  var _32 : usize;
-  var _33 : ();
-  var _34 : ();
-  var _35 : bool;
-  var _36 : usize;
-  var _37 : Type.creusat_clause_clause;
-  var _38 : Type.creusat_clause_clause;
-  var _39 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _40 : usize;
-  var _41 : ();
-  var _42 : ();
-  var _43 : ();
-  var _44 : ();
-  {
-    self_1 <- self;
-    goto BB0
-  }
-  BB0 {
-    _4 <- Type.creusat_formula_formula_Formula_num_vars self_1;
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 67 28 67 42] (2 : usize) = (0 : usize));
-    assert { not _6 };
-    goto BB1
-  }
-  BB1 {
-    _5 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 67 28 67 42] (18446744073709551615 : usize) / (2 : usize));
-    _3 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 67 11 67 42] _4 >= _5);
-    switch (_3)
-      | False -> goto BB3
-      | _ -> goto BB2
-      end
-  }
-  BB2 {
-    _0 <- Type.CreuSat_Solver_SatResult_Err;
-    goto BB24
-  }
-  BB3 {
-    _2 <- ();
-    _11 <- Type.creusat_formula_formula_Formula_clauses self_1;
-    _10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 70 11 70 29] Len0.len _11);
-    goto BB4
-  }
-  BB4 {
-    _9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 70 11 70 34] _10 = (0 : usize));
-    switch (_9)
-      | False -> goto BB8
-      | _ -> goto BB5
-      end
-  }
-  BB5 {
-    _13 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 71 34 71 44] New0.new ());
-    goto BB6
-  }
-  BB6 {
-    _0 <- Type.CreuSat_Solver_SatResult_Sat _13;
-    goto BB7
-  }
-  BB7 {
-    goto BB24
-  }
-  BB8 {
-    _8 <- ();
-    _16 <- Type.creusat_formula_formula_Formula_num_vars self_1;
-    _15 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 73 11 73 29] _16 = (0 : usize));
-    switch (_15)
-      | False -> goto BB10
-      | _ -> goto BB9
-      end
-  }
-  BB9 {
-    _0 <- Type.CreuSat_Solver_SatResult_Err;
-    goto BB24
-  }
-  BB10 {
-    _14 <- ();
-    i_18 <- (0 : usize);
-    goto BB11
-  }
-  BB11 {
-    invariant inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 77 8 77 107] forall j : (int) . 0 <= j && j < UInt64.to_int i_18 -> Invariant1.invariant' (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses self_1)) j) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars self_1)) };
-    invariant clause_len { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 78 8 78 101] forall j : (int) . 0 <= j && j < UInt64.to_int i_18 -> Seq.length (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses self_1)) j)) > 0 };
-    _22 <- i_18;
-    _24 <- Type.creusat_formula_formula_Formula_clauses self_1;
-    _23 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 79 18 79 36] Len0.len _24);
-    goto BB12
-  }
-  BB12 {
-    _21 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 79 14 79 36] _22 < _23);
-    switch (_21)
-      | False -> goto BB22
-      | _ -> goto BB13
-      end
-  }
-  BB13 {
-    _30 <- Type.creusat_formula_formula_Formula_clauses self_1;
-    _31 <- i_18;
-    _29 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 80 16 80 31] Index0.index _30 _31);
-    goto BB14
-  }
-  BB14 {
-    _28 <- _29;
-    _32 <- Type.creusat_formula_formula_Formula_num_vars self_1;
-    _27 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 80 16 80 69] CheckClauseInvariant0.check_clause_invariant _28 _32);
-    goto BB15
-  }
-  BB15 {
-    _26 <- not _27;
-    switch (_26)
-      | False -> goto BB17
-      | _ -> goto BB16
-      end
-  }
-  BB16 {
-    _0 <- Type.CreuSat_Solver_SatResult_Err;
-    goto BB23
-  }
-  BB17 {
-    _25 <- ();
-    _39 <- Type.creusat_formula_formula_Formula_clauses self_1;
-    _40 <- i_18;
-    _38 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 83 15 83 30] Index0.index _39 _40);
-    goto BB18
-  }
-  BB18 {
-    _37 <- _38;
-    _36 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 83 15 83 36] Len1.len _37);
-    goto BB19
-  }
-  BB19 {
-    _35 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 83 15 83 41] _36 = (0 : usize));
-    switch (_35)
-      | False -> goto BB21
-      | _ -> goto BB20
-      end
-  }
-  BB20 {
-    _0 <- Type.CreuSat_Solver_SatResult_Unsat;
-    goto BB23
-  }
-  BB21 {
-    _34 <- ();
-    i_18 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 86 12 86 18] i_18 + (1 : usize));
-    _20 <- ();
-    goto BB11
-  }
-  BB22 {
-    _19 <- ();
-    _0 <- Type.CreuSat_Solver_SatResult_Unknown;
-    goto BB24
-  }
-  BB23 {
-    goto BB24
-  }
-  BB24 {
-    return _0
-  }
-  
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 23 8 23 18] Seq.empty 
 end
-module CreuSat_Logic_LogicClause_Impl2_Sat_Interface
+module CreuSat_Logic_Logic_Inner_Impl1_Unsat2_Interface
   use Type
-  predicate sat (self : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments)
+  predicate unsat2 (self : Type.creusat_formula_formula)
 end
-module CreuSat_Logic_LogicClause_Impl2_Sat
+module CreuSat_Logic_Logic_Inner_Impl1_Unsat2
   use Type
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner_Interface as SatInner0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
-  predicate sat [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 166 4 166 44] (self : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments)
+  clone CreuSat_Logic_Logic_Inner_Impl0_Satisfies_Interface as Satisfies0
+  clone CreuSat_Logic_LogicFormula_Impl1_RealModel_Interface as RealModel0
+  predicate unsat2 [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 34 8 34 31] (self : Type.creusat_formula_formula)
     
    =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 167 8 169 9] SatInner0.sat_inner self (Model0.model a)
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 35 12 35 80] forall m : (Type.creusat_logic_logic_inner_m) . Satisfies0.satisfies m (RealModel0.real_model self) -> false
 end
-module CreuSat_Lit_Impl1_LitSat_Interface
-  use seq.Seq
+module CreuSat_Logic_Logic_Inner_Impl1_Sat2_Interface
+  use Type
+  predicate sat2 (self : Type.creusat_formula_formula)
+end
+module CreuSat_Logic_Logic_Inner_Impl1_Sat2
+  use Type
+  clone CreuSat_Logic_Logic_Inner_Impl0_Satisfies_Interface as Satisfies0
+  clone CreuSat_Logic_LogicFormula_Impl1_RealModel_Interface as RealModel0
+  predicate sat2 [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 39 8 39 29] (self : Type.creusat_formula_formula)
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 40 12 40 70] exists m : (Type.creusat_logic_logic_inner_m) . Satisfies0.satisfies m (RealModel0.real_model self)
+end
+module CreuSat_Logic_Logic_Inner_Impl1_Equisat2_Interface
   use Type
+  predicate equisat2 (self : Type.creusat_formula_formula) (f : Type.creusat_formula_formula)
+end
+module CreuSat_Logic_Logic_Inner_Impl1_Equisat2
+  use Type
+  clone CreuSat_Logic_Logic_Inner_Impl0_Satisfies_Interface as Satisfies0
+  clone CreuSat_Logic_LogicFormula_Impl1_RealModel_Interface as RealModel0
+  predicate equisat2 [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 44 8 44 42] (self : Type.creusat_formula_formula) (f : Type.creusat_formula_formula)
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 45 12 47 13] forall m : (Type.creusat_logic_logic_inner_m) . Satisfies0.satisfies m (RealModel0.real_model self) -> Satisfies0.satisfies m (RealModel0.real_model f) /\ Satisfies0.satisfies m (RealModel0.real_model f) -> Satisfies0.satisfies m (RealModel0.real_model self)
+end
+module CreuSat_Logic_Logic_Pos_Interface
+  use mach.int.Int
   use prelude.Prelude
-  clone CreuSat_Logic_LogicLit_Impl1_Sat_Interface as Sat0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant_Interface as Invariant0
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  val lit_sat [@cfg:stackify] (self : Type.creusat_lit_lit) (a : Type.creusat_assignments_assignments) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 51 4 51 43] Invariant0.invariant' self (Seq.length (Model0.model a))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 52 4 52 38] result = Sat0.sat self a }
+  use prelude.UInt8
+  function pos (_ : ()) : uint8
+end
+module CreuSat_Logic_Logic_Pos
+  use mach.int.Int
+  use prelude.Prelude
+  use prelude.UInt8
+  function pos [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 56 0 56 25] (_ : ()) : uint8 =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 57 4 57 7] (1 : uint8)
+end
+module CreuSat_Logic_Logic_Neg_Interface
+  use mach.int.Int
+  use prelude.Prelude
+  use prelude.UInt8
+  function neg (_ : ()) : uint8
+end
+module CreuSat_Logic_Logic_Neg
+  use mach.int.Int
+  use prelude.Prelude
+  use prelude.UInt8
+  function neg [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 61 0 61 25] (_ : ()) : uint8 =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 62 4 62 7] (0 : uint8)
+end
+module CreuSat_Logic_Logic_BoolToAssignedstate_Interface
+  use prelude.UInt8
+  use mach.int.Int
+  use mach.int.Int32
+  use prelude.Prelude
+  function bool_to_assignedstate (b : bool) : uint8
+end
+module CreuSat_Logic_Logic_BoolToAssignedstate
+  use prelude.UInt8
+  use mach.int.Int
+  use mach.int.Int32
+  use prelude.Prelude
+  function bool_to_assignedstate [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 80 0 80 54] (b : bool) : uint8 =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 77 0 77 8] if b then (1 : uint8) else (0 : uint8)
+  axiom bool_to_assignedstate_spec : forall b : bool . ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 79 0 79 31] not b -> UInt8.to_int (bool_to_assignedstate b) = 0) && ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 78 0 78 30] b -> UInt8.to_int (bool_to_assignedstate b) = 1)
+end
+module CreuSat_Logic_Logic_FlipV_Interface
+  use mach.int.Int
+  use prelude.Prelude
+  use prelude.UInt8
+  function flip_v (v : uint8) : uint8
+end
+module CreuSat_Logic_Logic_FlipV
+  use mach.int.Int
+  use prelude.Prelude
+  use prelude.UInt8
+  use mach.int.Int32
+  function flip_v [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 89 0 89 44] (v : uint8) : uint8 =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic.rs" 90 4 98 5] if UInt8.to_int v = 0 then
+      (1 : uint8)
+    else
+      if UInt8.to_int v = 1 then (0 : uint8) else v
     
 end
-module CreuSat_Lit_Impl1_LitSat
+module CreuSat_Logic_LogicAssignments_CompatibleInner_Interface
   use seq.Seq
-  use Type
+  use mach.int.Int
   use prelude.Prelude
+  use prelude.UInt8
+  predicate compatible_inner (a : Seq.seq uint8) (a2 : Seq.seq uint8)
+end
+module CreuSat_Logic_LogicAssignments_CompatibleInner
+  use seq.Seq
   use mach.int.Int
+  use prelude.Prelude
   use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model1 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model1.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  use mach.int.UInt64
-  clone CreuSat_Lit_Impl1_IsPositive_Interface as IsPositive0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Lit_Impl1_Index_Interface as Index0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Assignments_Impl0_Index_Interface as Index1 with function Model0.model = Model0.model
-  let rec cfg lit_sat [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 53 4 53 49] (self : Type.creusat_lit_lit) (a : Type.creusat_assignments_assignments) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 51 4 51 43] Invariant0.invariant' self (Seq.length (Model0.model a))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 52 4 52 38] result = Sat0.sat self a }
+  use mach.int.Int32
+  clone CreuSat_Logic_Logic_Unset_Interface as Unset0
+  predicate compatible_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_assignments.rs" 25 0 25 78] (a : Seq.seq uint8) (a2 : Seq.seq uint8)
     
    =
-  var _0 : bool;
-  var self_1 : Type.creusat_lit_lit;
-  var a_2 : Type.creusat_assignments_assignments;
-  var _3 : bool;
-  var _4 : Type.creusat_lit_lit;
-  var _5 : uint8;
-  var _6 : uint8;
-  var _7 : Type.creusat_assignments_assignments;
-  var _8 : usize;
-  var _9 : Type.creusat_lit_lit;
-  var _10 : uint8;
-  var _11 : uint8;
-  var _12 : Type.creusat_assignments_assignments;
-  var _13 : usize;
-  var _14 : Type.creusat_lit_lit;
-  {
-    self_1 <- self;
-    a_2 <- a;
-    goto BB0
-  }
-  BB0 {
-    _4 <- self_1;
-    _3 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 54 14 54 32] IsPositive0.is_positive _4);
-    goto BB1
-  }
-  BB1 {
-    switch (_3)
-      | False -> goto BB2
-      | _ -> goto BB3
-      end
-  }
-  BB2 {
-    _12 <- a_2;
-    _14 <- self_1;
-    _13 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 56 24 56 36] Index0.index _14);
-    goto BB6
-  }
-  BB3 {
-    _7 <- a_2;
-    _9 <- self_1;
-    _8 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 55 23 55 35] Index0.index _9);
-    goto BB4
-  }
-  BB4 {
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 55 21 55 36] Index1.index _7 _8);
-    goto BB5
-  }
-  BB5 {
-    _5 <- _6;
-    _0 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 55 20 55 42] _5 = (1 : uint8));
-    goto BB8
-  }
-  BB6 {
-    _11 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 56 22 56 37] Index1.index _12 _13);
-    goto BB7
-  }
-  BB7 {
-    _10 <- _11;
-    _0 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 56 21 56 43] _10 = (0 : uint8));
-    goto BB8
-  }
-  BB8 {
-    return _0
-  }
-  
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_assignments.rs" 26 4 29 5] Seq.length a = Seq.length a2 /\ (forall i : (int) . 0 <= i /\ i < Seq.length a -> Unset0.unset (Seq.get a i) \/ Seq.get a i = Seq.get a2 i)
 end
-module CreuSat_Formula_Impl2_IsClauseSat_Interface
-  use mach.int.UInt64
+module CreuSat_Logic_LogicAssignments_CompatibleCompleteInner_Interface
   use seq.Seq
   use mach.int.Int
   use prelude.Prelude
-  use Type
-  clone CreuSat_Logic_LogicClause_Impl2_Sat_Interface as Sat0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val is_clause_sat [@cfg:stackify] (self : Type.creusat_formula_formula) (idx : usize) (a : Type.creusat_assignments_assignments) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 92 4 92 33] Invariant0.invariant' self}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 93 4 93 35] Invariant1.invariant' a self}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 94 4 94 45] UInt64.to_int idx < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses self))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 95 4 95 55] result = Sat0.sat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) (UInt64.to_int idx)) a }
-    
+  use prelude.UInt8
+  predicate compatible_complete_inner (a : Seq.seq uint8) (a2 : Seq.seq uint8)
 end
-module CreuSat_Formula_Impl2_IsClauseSat
-  use mach.int.UInt64
+module CreuSat_Logic_LogicAssignments_CompatibleCompleteInner
   use seq.Seq
   use mach.int.Int
   use prelude.Prelude
+  use prelude.UInt8
+  clone CreuSat_Logic_LogicAssignments_CompleteInner_Interface as CompleteInner0
+  clone CreuSat_Logic_LogicAssignments_CompatibleInner_Interface as CompatibleInner0
+  predicate compatible_complete_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_assignments.rs" 40 0 40 87] (a : Seq.seq uint8) (a2 : Seq.seq uint8)
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_assignments.rs" 39 0 39 12] CompatibleInner0.compatible_inner a a2 /\ CompleteInner0.complete_inner a2
+end
+module CreuSat_Logic_LogicClause_Impl1_PostUnitInner_Interface
   use Type
-  use mach.int.Int32
+  use seq.Seq
+  use mach.int.Int
+  use prelude.Prelude
   use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant3 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant3.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model4 with function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant2 with function Model0.model = Model4.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant2.invariant',
-  function Model0.model = Model4.model
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner0 with function Model0.model = Model4.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model3 with function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat1 with function Model0.model = Model3.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Sat as Sat0 with function Model0.model = Model3.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant1 with function Model0.model = Model3.model
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model1 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model4.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model2 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model0.model,
-  predicate Invariant0.invariant' = Invariant2.invariant', function Model1.model = Model4.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model2.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy2
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = Type.creusat_clause_clause
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model7 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy2.modelTy, function Model0.model = Model3.model
-  clone CreuSat_Lit_Impl1_LitSat_Interface as LitSat0 with function Model0.model = Model7.model,
-  predicate Invariant0.invariant' = Invariant3.invariant', predicate Sat0.sat = Sat1.sat
-  clone CreuSat_Clause_Impl0_Index_Interface as Index1 with function Model0.model = Model1.model
-  clone CreuSat_Clause_Impl3_Len_Interface as Len0 with function Model0.model = Model1.model
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = Type.creusat_clause_clause, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model0.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  let rec cfg is_clause_sat [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 96 4 96 68] (self : Type.creusat_formula_formula) (idx : usize) (a : Type.creusat_assignments_assignments) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 92 4 92 33] Invariant0.invariant' self}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 93 4 93 35] Invariant1.invariant' a self}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 94 4 94 45] UInt64.to_int idx < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses self))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 95 4 95 55] result = Sat0.sat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) (UInt64.to_int idx)) a }
-    
-   =
-  var _0 : bool;
-  var self_1 : Type.creusat_formula_formula;
-  var idx_2 : usize;
-  var a_3 : Type.creusat_assignments_assignments;
-  var clause_4 : Type.creusat_clause_clause;
-  var _5 : Type.creusat_clause_clause;
-  var _6 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _7 : usize;
-  var i_8 : usize;
-  var _9 : ();
-  var _10 : ();
-  var _11 : bool;
-  var _12 : usize;
-  var _13 : usize;
-  var _14 : Type.creusat_clause_clause;
-  var _15 : ();
-  var _16 : bool;
-  var _17 : Type.creusat_lit_lit;
-  var _18 : Type.creusat_lit_lit;
-  var _19 : Type.creusat_clause_clause;
-  var _20 : usize;
-  var _21 : Type.creusat_assignments_assignments;
-  var _22 : ();
-  var _23 : ();
-  var _24 : ();
-  var _25 : ();
-  {
-    self_1 <- self;
-    idx_2 <- idx;
-    a_3 <- a;
-    goto BB0
-  }
-  BB0 {
-    _6 <- Type.creusat_formula_formula_Formula_clauses self_1;
-    _7 <- idx_2;
-    _5 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 97 22 97 39] Index0.index _6 _7);
-    goto BB1
-  }
-  BB1 {
-    clause_4 <- _5;
-    i_8 <- (0 : usize);
-    goto BB2
-  }
-  BB2 {
-    invariant previous_not_sat { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 99 8 99 97] forall j : (int) . 0 <= j && j < UInt64.to_int i_8 -> not Sat1.sat (Seq.get (Model1.model clause_4) j) a_3 };
-    _12 <- i_8;
-    _14 <- clause_4;
-    _13 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 100 18 100 30] Len0.len _14);
-    goto BB3
-  }
-  BB3 {
-    _11 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 100 14 100 30] _12 < _13);
-    switch (_11)
-      | False -> goto BB9
-      | _ -> goto BB4
-      end
-  }
-  BB4 {
-    _19 <- clause_4;
-    _20 <- i_8;
-    _18 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 101 15 101 24] Index1.index _19 _20);
-    goto BB5
-  }
-  BB5 {
-    _17 <- _18;
-    _21 <- a_3;
-    _16 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 101 15 101 35] LitSat0.lit_sat _17 _21);
-    goto BB6
-  }
-  BB6 {
-    switch (_16)
-      | False -> goto BB8
-      | _ -> goto BB7
-      end
-  }
-  BB7 {
-    _0 <- true;
-    goto BB10
-  }
-  BB8 {
-    _15 <- ();
-    i_8 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 104 12 104 18] i_8 + (1 : usize));
-    _10 <- ();
-    goto BB2
-  }
-  BB9 {
-    _9 <- ();
-    _0 <- false;
-    goto BB10
-  }
-  BB10 {
-    return _0
-  }
-  
-end
-module CreuSat_Logic_LogicWatches_WatchesInvariantInternal_Interface
-  use seq.Seq
-  use Type
-  use mach.int.Int
-  predicate watches_invariant_internal (w : Seq.seq (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global))) (n : int) (f : Type.creusat_formula_formula)
-    
-end
-module CreuSat_Logic_LogicWatches_WatchesInvariantInternal
-  use seq.Seq
-  use Type
-  use mach.int.Int
-  use mach.int.Int32
-  use mach.int.UInt64
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model2
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  predicate watches_invariant_internal [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 11 0 11 83] (w : Seq.seq (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global))) (n : int) (f : Type.creusat_formula_formula)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 12 4 20 5] 2 * n = Seq.length w && (forall i : (int) . 0 <= i && i < Seq.length w -> (forall j : (int) . 0 <= j && j < Seq.length (Model0.model (Seq.get w i)) -> UInt64.to_int (Type.creusat_watches_watcher_Watcher_cref (Seq.get (Model0.model (Seq.get w i)) j)) < Seq.length (Model1.model (Type.creusat_formula_formula_Formula_clauses f)) && Seq.length (Model2.model (Seq.get (Model1.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int (Type.creusat_watches_watcher_Watcher_cref (Seq.get (Model0.model (Seq.get w i)) j))))) > 1 && IndexLogic0.index_logic (Type.creusat_watches_watcher_Watcher_blocker (Seq.get (Model0.model (Seq.get w i)) j)) < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)))
-end
-module CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface
-  use Type
-  predicate invariant' (self : Type.creusat_watches_watches) (f : Type.creusat_formula_formula)
-end
-module CreuSat_Logic_LogicWatches_Impl0_Invariant
-  use Type
-  use mach.int.UInt64
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal_Interface as WatchesInvariantInternal0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  predicate invariant' [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 67 4 67 46] (self : Type.creusat_watches_watches) (f : Type.creusat_formula_formula)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 68 8 83 9] WatchesInvariantInternal0.watches_invariant_internal (Model0.model (Type.creusat_watches_watches_Watches_watches self)) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) f
-end
-module CreuSat_Logic_LogicFormula_Impl1_SatInner_Interface
-  use Type
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  predicate sat_inner (self : Type.creusat_formula_formula) (a : Seq.seq uint8)
-end
-module CreuSat_Logic_LogicFormula_Impl1_SatInner
-  use Type
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  use mach.int.Int32
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner_Interface as SatInner0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  predicate sat_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 142 4 142 57] (self : Type.creusat_formula_formula) (a : Seq.seq uint8)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 143 8 146 9] forall i : (int) . 0 <= i && i < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) -> SatInner0.sat_inner (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) i) a
-end
-module CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss_Interface
-  use Type
-  predicate eventually_sat_complete_no_ass (self : Type.creusat_formula_formula)
-end
-module CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss
-  use Type
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  use mach.int.UInt64
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner_Interface as SatInner0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner_Interface as CompleteInner0
-  predicate eventually_sat_complete_no_ass [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 73 4 73 55] (self : Type.creusat_formula_formula)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 74 8 76 9] exists a2 : (Seq.seq uint8) . Seq.length a2 = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars self) && CompleteInner0.complete_inner a2 && SatInner0.sat_inner self a2
-end
-module CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface
-  use Type
-  predicate equisat (self : Type.creusat_formula_formula) (o : Type.creusat_formula_formula)
-end
-module CreuSat_Logic_LogicFormula_Impl1_Equisat
-  use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss_Interface as EventuallySatCompleteNoAss0
-  predicate equisat [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 79 4 79 44] (self : Type.creusat_formula_formula) (o : Type.creusat_formula_formula)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 78 4 78 16] EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass self = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass o
-end
-module CreuSat_Logic_LogicFormula_Compatible_Interface
-  use seq.Seq
-  use Type
-  use mach.int.Int
-  predicate compatible (f : (Seq.seq (Type.creusat_clause_clause), int)) (o : (Seq.seq (Type.creusat_clause_clause), int))
-    
-end
-module CreuSat_Logic_LogicFormula_Compatible
-  use seq.Seq
-  use Type
-  use mach.int.Int
-  use mach.int.Int32
-  clone CreuSat_Logic_LogicClause_Impl2_Equals_Interface as Equals0
-  predicate compatible [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 54 0 54 67] (f : (Seq.seq (Type.creusat_clause_clause), int)) (o : (Seq.seq (Type.creusat_clause_clause), int))
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 55 4 60 5] (let (_, a) = f in a) = (let (_, a) = o in a) && Seq.length (let (a, _) = o in a) >= Seq.length (let (a, _) = f in a) && (forall i : (int) . 0 <= i && i < Seq.length (let (a, _) = f in a) -> Equals0.equals (Seq.get (let (a, _) = f in a) i) (Seq.get (let (a, _) = o in a) i))
-end
-module CreuSat_Logic_LogicFormula_Equisat_Interface
-  use seq.Seq
-  use Type
-  use mach.int.Int
-  predicate equisat (f : (Seq.seq (Type.creusat_clause_clause), int)) (o : (Seq.seq (Type.creusat_clause_clause), int))
-end
-module CreuSat_Logic_LogicFormula_Equisat
-  use seq.Seq
-  use Type
-  use mach.int.Int
-  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss_Interface as EventuallySatCompleteNoAss0
-  predicate equisat [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 47 0 47 64] (f : (Seq.seq (Type.creusat_clause_clause), int)) (o : (Seq.seq (Type.creusat_clause_clause), int))
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 48 4 50 5] EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass f = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass o
-end
-module CreuSat_Logic_LogicFormula_EquisatCompatibleInner_Interface
-  use seq.Seq
-  use Type
-  use mach.int.Int
-  predicate equisat_compatible_inner (f : (Seq.seq (Type.creusat_clause_clause), int)) (o : (Seq.seq (Type.creusat_clause_clause), int))
-    
-end
-module CreuSat_Logic_LogicFormula_EquisatCompatibleInner
-  use seq.Seq
-  use Type
-  use mach.int.Int
-  clone CreuSat_Logic_LogicFormula_Equisat_Interface as Equisat0
-  clone CreuSat_Logic_LogicFormula_Compatible_Interface as Compatible0
-  predicate equisat_compatible_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 64 0 64 81] (f : (Seq.seq (Type.creusat_clause_clause), int)) (o : (Seq.seq (Type.creusat_clause_clause), int))
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 65 4 67 5] Compatible0.compatible f o && Equisat0.equisat f o
-end
-module CreuSat_Logic_LogicFormula_Impl1_EquisatCompatible_Interface
-  use Type
-  predicate equisat_compatible (self : Type.creusat_formula_formula) (o : Type.creusat_formula_formula)
-end
-module CreuSat_Logic_LogicFormula_Impl1_EquisatCompatible
-  use Type
-  clone CreuSat_Logic_LogicFormula_EquisatCompatibleInner_Interface as EquisatCompatibleInner0
-  clone CreuSat_Logic_LogicFormula_Impl0_Model_Interface as Model0
-  predicate equisat_compatible [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 94 4 94 55] (self : Type.creusat_formula_formula) (o : Type.creusat_formula_formula)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 95 8 95 57] EquisatCompatibleInner0.equisat_compatible_inner (Model0.model self) (Model0.model o)
-end
-module CreuSat_Logic_LogicLit_Impl0_ToNegWatchidxLogic_Interface
-  use Type
-  use mach.int.Int
-  function to_neg_watchidx_logic [@inline:trivial] (self : Type.creusat_lit_lit) : int
-end
-module CreuSat_Logic_LogicLit_Impl0_ToNegWatchidxLogic
-  use Type
-  use mach.int.Int
-  use mach.int.Int32
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic_Interface as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  function to_neg_watchidx_logic [@inline:trivial] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 39 4 39 45] (self : Type.creusat_lit_lit) : int
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 40 8 40 91] IndexLogic0.index_logic self * 2 + (if IsPositiveLogic0.is_positive_logic self then
-      1
-    else
-      0
-    )
-end
-module CreuSat_Lit_Impl1_ToNegWatchidx_Interface
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.UInt64
-  use mach.int.Int32
-  use Type
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic_Interface as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_ToNegWatchidxLogic_Interface as ToNegWatchidxLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  val to_neg_watchidx [@cfg:stackify] (self : Type.creusat_lit_lit) : usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 97 4 97 51] IndexLogic0.index_logic self < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 98 4 98 55] UInt64.to_int result = ToNegWatchidxLogic0.to_neg_watchidx_logic self }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 99 4 99 96] UInt64.to_int result = IndexLogic0.index_logic self * 2 + (if IsPositiveLogic0.is_positive_logic self then
-      1
-    else
-      0
-    ) }
-    
-end
-module CreuSat_Lit_Impl1_ToNegWatchidx
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.UInt64
-  use mach.int.Int32
-  use Type
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_ToNegWatchidxLogic as ToNegWatchidxLogic0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Lit_Impl1_IsPositive_Interface as IsPositive0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Lit_Impl1_Index_Interface as Index0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  let rec cfg to_neg_watchidx [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 100 4 100 41] (self : Type.creusat_lit_lit) : usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 97 4 97 51] IndexLogic0.index_logic self < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 98 4 98 55] UInt64.to_int result = ToNegWatchidxLogic0.to_neg_watchidx_logic self }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 99 4 99 96] UInt64.to_int result = IndexLogic0.index_logic self * 2 + (if IsPositiveLogic0.is_positive_logic self then
-      1
-    else
-      0
-    ) }
-    
-   =
-  var _0 : usize;
-  var self_1 : Type.creusat_lit_lit;
-  var _2 : usize;
-  var _3 : usize;
-  var _4 : Type.creusat_lit_lit;
-  var _5 : usize;
-  var _6 : bool;
-  var _7 : Type.creusat_lit_lit;
-  {
-    self_1 <- self;
-    goto BB0
-  }
-  BB0 {
-    _4 <- self_1;
-    _3 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 101 8 101 20] Index0.index _4);
-    goto BB1
-  }
-  BB1 {
-    _2 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 101 8 101 24] _3 * (2 : usize));
-    _7 <- self_1;
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 101 30 101 48] IsPositive0.is_positive _7);
-    goto BB2
-  }
-  BB2 {
-    switch (_6)
-      | False -> goto BB4
-      | _ -> goto BB3
-      end
-  }
-  BB3 {
-    _5 <- (1 : usize);
-    goto BB5
-  }
-  BB4 {
-    _5 <- (0 : usize);
-    goto BB5
-  }
-  BB5 {
-    _0 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 101 8 101 65] _2 + _5);
-    return _0
-  }
-  
-end
-module CreuSat_Watches_Impl0_AddWatcher_Interface
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use Type
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model2
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicLit_Impl0_ToNegWatchidxLogic_Interface as ToNegWatchidxLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant0
-  val add_watcher [@cfg:stackify] (self : borrowed (Type.creusat_watches_watches)) (lit : Type.creusat_lit_lit) (cref : usize) (_f : Type.creusat_formula_formula) (blocker : Type.creusat_lit_lit) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 105 4 105 43] Invariant0.invariant' ( * self) _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 106 4 106 44] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 107 4 107 50] IndexLogic0.index_logic lit < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 108 4 108 53] IndexLogic0.index_logic blocker < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 109 4 109 68] ToNegWatchidxLogic0.to_neg_watchidx_logic lit < Seq.length (Model1.model (Type.creusat_watches_watches_Watches_watches ( * self)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 110 4 110 50] Seq.length (Model2.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int cref))) > 1}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 105 4 105 43] Invariant0.invariant' ( ^ self) _f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 111 4 111 65] Seq.length (Model1.model (Type.creusat_watches_watches_Watches_watches ( * self))) = Seq.length (Model1.model (Type.creusat_watches_watches_Watches_watches ( ^ self))) }
-    
-end
-module CreuSat_Watches_Impl0_AddWatcher
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model2 with function Model0.model = Model3.model
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_ToNegWatchidxLogic as ToNegWatchidxLogic0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model4.model,
-  function Model1.model = Model0.model, function Model2.model = Model2.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant0 with function Model0.model = Model1.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_watches_watches
-  clone Alloc_Vec_Impl1_Push_Interface as Push0 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, function Model0.model = Model4.model
-  clone CreuSat_Lit_Impl1_ToNegWatchidx_Interface as ToNegWatchidx0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function ToNegWatchidxLogic0.to_neg_watchidx_logic = ToNegWatchidxLogic0.to_neg_watchidx_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type i = usize, type a = Type.alloc_alloc_global, function Model0.model = Model1.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  let rec cfg add_watcher [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 112 4 112 84] (self : borrowed (Type.creusat_watches_watches)) (lit : Type.creusat_lit_lit) (cref : usize) (_f : Type.creusat_formula_formula) (blocker : Type.creusat_lit_lit) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 105 4 105 43] Invariant0.invariant' ( * self) _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 106 4 106 44] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 107 4 107 50] IndexLogic0.index_logic lit < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 108 4 108 53] IndexLogic0.index_logic blocker < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 109 4 109 68] ToNegWatchidxLogic0.to_neg_watchidx_logic lit < Seq.length (Model1.model (Type.creusat_watches_watches_Watches_watches ( * self)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 110 4 110 50] Seq.length (Model2.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int cref))) > 1}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 105 4 105 43] Invariant0.invariant' ( ^ self) _f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 111 4 111 65] Seq.length (Model1.model (Type.creusat_watches_watches_Watches_watches ( * self))) = Seq.length (Model1.model (Type.creusat_watches_watches_Watches_watches ( ^ self))) }
-    
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_watches_watches);
-  var lit_2 : Type.creusat_lit_lit;
-  var cref_3 : usize;
-  var _f_4 : Type.creusat_formula_formula;
-  var blocker_5 : Type.creusat_lit_lit;
-  var _6 : ();
-  var _7 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _8 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _9 : borrowed (Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global));
-  var _10 : usize;
-  var _11 : Type.creusat_lit_lit;
-  var _12 : Type.creusat_watches_watcher;
-  var _13 : usize;
-  var _14 : Type.creusat_lit_lit;
-  {
-    self_1 <- self;
-    lit_2 <- lit;
-    cref_3 <- cref;
-    _f_4 <- _f;
-    blocker_5 <- blocker;
-    goto BB0
-  }
-  BB0 {
-    _9 <- borrow_mut (Type.creusat_watches_watches_Watches_watches ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Watches_Watches a =  * self_1 in Type.CreuSat_Watches_Watches ( ^ _9)) };
-    assume { Resolve0.resolve self_1 };
-    _11 <- lit_2;
-    _10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 113 21 113 42] ToNegWatchidx0.to_neg_watchidx _11);
-    goto BB1
-  }
-  BB1 {
-    _8 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 113 8 113 43] IndexMut0.index_mut _9 _10);
-    goto BB2
-  }
-  BB2 {
-    _7 <- borrow_mut ( * _8);
-    _8 <- { _8 with current = ( ^ _7) };
-    _13 <- cref_3;
-    _14 <- blocker_5;
-    _12 <- Type.CreuSat_Watches_Watcher _13 _14;
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 113 8 113 75] Push0.push _7 _12);
-    goto BB3
-  }
-  BB3 {
-    assume { Resolve1.resolve _8 };
-    _0 <- ();
-    return _0
-  }
-  
-end
-module CreuSat_Formula_Impl2_AddClause_Interface
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use mach.int.UInt64
-  use prelude.Prelude
-  use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model2 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner_Interface as EquisatExtensionInner0
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model1 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant3
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val add_clause [@cfg:stackify] (self : borrowed (Type.creusat_formula_formula)) (clause : Type.creusat_clause_clause) (watches : borrowed (Type.creusat_watches_watches)) (_t : Type.creusat_trail_trail) : usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 110 4 110 40] Invariant0.invariant' ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 111 4 111 40] Invariant1.invariant' _t ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 112 4 112 51] Invariant2.invariant' ( * watches) ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 113 4 113 37] Seq.length (Model0.model clause) >= 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 114 4 114 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 117 4 117 49] Invariant3.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 118 4 118 55] EquisatExtensionInner0.equisat_extension_inner clause (Model1.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 110 4 110 40] Invariant0.invariant' ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 111 4 111 40] Invariant1.invariant' _t ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 112 4 112 51] Invariant2.invariant' ( ^ watches) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 119 4 119 51] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ self)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 120 4 120 35] Equisat0.equisat ( * self) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 121 4 121 48] UInt64.to_int result = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * self))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 122 4 122 53] Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ self))) (UInt64.to_int result) = clause }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 123 4 123 69] Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * self))) + 1 = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ self))) }
-    
-end
-module CreuSat_Formula_Impl2_AddClause
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use mach.int.UInt64
-  use prelude.Prelude
-  use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model10 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model8 with function Model0.model = Model10.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant4 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model8.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant6 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model4 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model1 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model4.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model0 with function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicClause_Impl2_Equals as Equals0 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicFormula_Compatible as Compatible0 with predicate Equals0.equals = Equals0.equals
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model0.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner0 with function Model0.model = Model2.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss1 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss1.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Logic_LogicFormula_Equisat as Equisat1 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicFormula_EquisatCompatibleInner as EquisatCompatibleInner0 with predicate Compatible0.compatible = Compatible0.compatible,
-  predicate Equisat0.equisat = Equisat1.equisat
-  clone CreuSat_Logic_LogicFormula_Impl1_EquisatCompatible as EquisatCompatible0 with function Model0.model = Model4.model,
-  predicate EquisatCompatibleInner0.equisat_compatible_inner = EquisatCompatibleInner0.equisat_compatible_inner
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant7 with function Model0.model = Model2.model,
-  function Model1.model = Model0.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant5 with predicate Invariant0.invariant' = Invariant6.invariant',
-  predicate Invariant1.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner1.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model2.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model2.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model2.model,
-  function Model1.model = Model0.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model9.model,
-  function Model1.model = Model2.model, function Model2.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant3 with function Model0.model = Model0.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant3.invariant',
-  function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model2.model,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model1.model = Model0.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model4.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant2 with function Model0.model = Model6.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model3.model,
-  function Model1.model = Model8.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model3.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model3.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model5.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model8.model,
-  function Model1.model = Model3.model, predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model2.model = Model5.model, function Model3.model = Model2.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model0.model = Model3.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model5.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model8.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model5.model, function Model1.model = Model3.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_watches_watches
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_formula_formula
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy1
-  clone CreuSat_Logic_LogicLit_Impl0_ToNegWatchidxLogic as ToNegWatchidxLogic0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone Alloc_Vec_Impl1_Push_Interface as Push0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, function Model0.model = Model2.model
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, function Model0.model = Model2.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model11 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model0.model
-  clone CreuSat_Clause_Impl0_Index_Interface as Index0 with function Model0.model = Model11.model
-  clone CreuSat_Watches_Impl0_AddWatcher_Interface as AddWatcher0 with predicate Invariant0.invariant' = Invariant2.invariant',
-  function Model0.model = Model2.model, function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function ToNegWatchidxLogic0.to_neg_watchidx_logic = ToNegWatchidxLogic0.to_neg_watchidx_logic,
-  function Model1.model = Model6.model, function Model2.model = Model0.model
-  let rec cfg add_clause [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 124 4 124 92] (self : borrowed (Type.creusat_formula_formula)) (clause : Type.creusat_clause_clause) (watches : borrowed (Type.creusat_watches_watches)) (_t : Type.creusat_trail_trail) : usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 110 4 110 40] Invariant0.invariant' ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 111 4 111 40] Invariant1.invariant' _t ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 112 4 112 51] Invariant2.invariant' ( * watches) ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 113 4 113 37] Seq.length (Model0.model clause) >= 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 114 4 114 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 117 4 117 49] Invariant3.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 118 4 118 55] EquisatExtensionInner0.equisat_extension_inner clause (Model1.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 110 4 110 40] Invariant0.invariant' ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 111 4 111 40] Invariant1.invariant' _t ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 112 4 112 51] Invariant2.invariant' ( ^ watches) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 119 4 119 51] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ self)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 120 4 120 35] Equisat0.equisat ( * self) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 121 4 121 48] UInt64.to_int result = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * self))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 122 4 122 53] Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ self))) (UInt64.to_int result) = clause }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 123 4 123 69] Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * self))) + 1 = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ self))) }
-    
-   =
-  var _0 : usize;
-  var self_1 : borrowed (Type.creusat_formula_formula);
-  var clause_2 : Type.creusat_clause_clause;
-  var watches_3 : borrowed (Type.creusat_watches_watches);
-  var _t_4 : Type.creusat_trail_trail;
-  ghost var old_self_5 : borrowed (Type.creusat_formula_formula);
-  var _6 : ();
-  var cref_7 : usize;
-  var _8 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var first_lit_9 : Type.creusat_lit_lit;
-  var _10 : Type.creusat_lit_lit;
-  var _11 : Type.creusat_clause_clause;
-  var second_lit_12 : Type.creusat_lit_lit;
-  var _13 : Type.creusat_lit_lit;
-  var _14 : Type.creusat_clause_clause;
-  var _15 : ();
-  var _16 : borrowed (Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global));
-  var _17 : Type.creusat_clause_clause;
-  var _18 : ();
-  var _19 : borrowed (Type.creusat_watches_watches);
-  var _20 : Type.creusat_lit_lit;
-  var _21 : usize;
-  var _22 : Type.creusat_formula_formula;
-  var _23 : Type.creusat_lit_lit;
-  var _24 : ();
-  var _25 : borrowed (Type.creusat_watches_watches);
-  var _26 : Type.creusat_lit_lit;
-  var _27 : usize;
-  var _28 : Type.creusat_formula_formula;
-  var _29 : Type.creusat_lit_lit;
-  var _30 : ();
-  var _31 : ();
-  var _32 : ();
-  var _33 : ();
-  {
-    self_1 <- self;
-    clause_2 <- clause;
-    watches_3 <- watches;
-    _t_4 <- _t;
-    goto BB0
-  }
-  BB0 {
-    goto BB1
-  }
-  BB1 {
-    goto BB2
-  }
-  BB2 {
-    goto BB3
-  }
-  BB3 {
-    goto BB4
-  }
-  BB4 {
-    _6 <- ();
-    old_self_5 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 125 23 125 38] self_1);
-    goto BB5
-  }
-  BB5 {
-    _8 <- Type.creusat_formula_formula_Formula_clauses ( * self_1);
-    cref_7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 126 19 126 37] Len0.len _8);
-    goto BB6
-  }
-  BB6 {
-    _11 <- clause_2;
-    _10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 131 24 131 33] Index0.index _11 (0 : usize));
-    goto BB7
-  }
-  BB7 {
-    first_lit_9 <- _10;
-    _14 <- clause_2;
-    _13 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 132 25 132 34] Index0.index _14 (1 : usize));
-    goto BB8
-  }
-  BB8 {
-    second_lit_12 <- _13;
-    _16 <- borrow_mut (Type.creusat_formula_formula_Formula_clauses ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Formula_Formula a b =  * self_1 in Type.CreuSat_Formula_Formula ( ^ _16) b) };
-    _17 <- clause_2;
-    _15 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 133 8 133 33] Push0.push _16 _17);
-    goto BB9
-  }
-  BB9 {
-    _19 <- borrow_mut ( * watches_3);
-    watches_3 <- { watches_3 with current = ( ^ _19) };
-    _20 <- first_lit_9;
-    _21 <- cref_7;
-    _22 <-  * self_1;
-    _23 <- second_lit_12;
-    _18 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 134 8 134 62] AddWatcher0.add_watcher _19 _20 _21 _22 _23);
-    goto BB10
-  }
-  BB10 {
-    _25 <- borrow_mut ( * watches_3);
-    watches_3 <- { watches_3 with current = ( ^ _25) };
-    _26 <- second_lit_12;
-    _27 <- cref_7;
-    _28 <-  * self_1;
-    assume { Resolve0.resolve self_1 };
-    _29 <- first_lit_9;
-    _24 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 135 8 135 62] AddWatcher0.add_watcher _25 _26 _27 _28 _29);
-    goto BB11
-  }
-  BB11 {
-    assume { Resolve1.resolve watches_3 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 136 8 136 49]  ^ old_self_5 =  ^ self_1 };
-    _30 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 137 8 137 57] EquisatCompatible0.equisat_compatible ( * old_self_5) ( * self_1) };
-    _31 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 138 8 138 46] Equisat0.equisat ( * old_self_5) ( * self_1) };
-    _32 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 139 8 139 56] TrailInvariant0.trail_invariant (Model3.model (Type.creusat_trail_trail_Trail_trail _t_4)) ( * self_1) };
-    _33 <- ();
-    _0 <- cref_7;
-    goto BB12
-  }
-  BB12 {
-    return _0
-  }
-  
-end
-module CreuSat_Formula_Impl2_AddUnwatchedClause_Interface
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use mach.int.UInt64
-  use prelude.Prelude
-  use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model2 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner_Interface as EquisatExtensionInner0
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model1 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant3
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val add_unwatched_clause [@cfg:stackify] (self : borrowed (Type.creusat_formula_formula)) (clause : Type.creusat_clause_clause) (watches : borrowed (Type.creusat_watches_watches)) (_t : Type.creusat_trail_trail) : usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 144 4 144 40] Invariant0.invariant' ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 145 4 145 40] Invariant1.invariant' _t ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 146 4 146 51] Invariant2.invariant' ( * watches) ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 147 4 147 37] Seq.length (Model0.model clause) >= 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 148 4 148 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 151 4 151 49] Invariant3.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 152 4 152 55] EquisatExtensionInner0.equisat_extension_inner clause (Model1.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 144 4 144 40] Invariant0.invariant' ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 145 4 145 40] Invariant1.invariant' _t ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 146 4 146 51] Invariant2.invariant' ( ^ watches) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 153 4 153 51] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ self)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 154 4 154 35] Equisat0.equisat ( * self) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 155 4 155 48] UInt64.to_int result = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * self))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 156 4 156 53] Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ self))) (UInt64.to_int result) = clause }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 157 4 157 69] Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * self))) + 1 = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ self))) }
-    
-end
-module CreuSat_Formula_Impl2_AddUnwatchedClause
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use mach.int.UInt64
-  use prelude.Prelude
-  use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model10 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model8 with function Model0.model = Model10.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant4 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model8.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant6 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model4 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model1 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model4.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model0 with function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicClause_Impl2_Equals as Equals0 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicFormula_Compatible as Compatible0 with predicate Equals0.equals = Equals0.equals
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model0.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner0 with function Model0.model = Model2.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss1 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss1.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Logic_LogicFormula_Equisat as Equisat1 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicFormula_EquisatCompatibleInner as EquisatCompatibleInner0 with predicate Compatible0.compatible = Compatible0.compatible,
-  predicate Equisat0.equisat = Equisat1.equisat
-  clone CreuSat_Logic_LogicFormula_Impl1_EquisatCompatible as EquisatCompatible0 with function Model0.model = Model4.model,
-  predicate EquisatCompatibleInner0.equisat_compatible_inner = EquisatCompatibleInner0.equisat_compatible_inner
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant7 with function Model0.model = Model2.model,
-  function Model1.model = Model0.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant5 with predicate Invariant0.invariant' = Invariant6.invariant',
-  predicate Invariant1.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner1.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model2.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model2.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model2.model,
-  function Model1.model = Model0.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model9.model,
-  function Model1.model = Model2.model, function Model2.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant3 with function Model0.model = Model0.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant3.invariant',
-  function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model2.model,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model1.model = Model0.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model4.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant2 with function Model0.model = Model6.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model3.model,
-  function Model1.model = Model8.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model3.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model3.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model5.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model8.model,
-  function Model1.model = Model3.model, predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model2.model = Model5.model, function Model3.model = Model2.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model0.model = Model3.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model5.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model8.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model5.model, function Model1.model = Model3.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_formula_formula
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_watches_watches
-  clone Alloc_Vec_Impl1_Push_Interface as Push0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, function Model0.model = Model2.model
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, function Model0.model = Model2.model
-  let rec cfg add_unwatched_clause [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 158 4 158 102] (self : borrowed (Type.creusat_formula_formula)) (clause : Type.creusat_clause_clause) (watches : borrowed (Type.creusat_watches_watches)) (_t : Type.creusat_trail_trail) : usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 144 4 144 40] Invariant0.invariant' ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 145 4 145 40] Invariant1.invariant' _t ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 146 4 146 51] Invariant2.invariant' ( * watches) ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 147 4 147 37] Seq.length (Model0.model clause) >= 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 148 4 148 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 151 4 151 49] Invariant3.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 152 4 152 55] EquisatExtensionInner0.equisat_extension_inner clause (Model1.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 144 4 144 40] Invariant0.invariant' ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 145 4 145 40] Invariant1.invariant' _t ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 146 4 146 51] Invariant2.invariant' ( ^ watches) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 153 4 153 51] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ self)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 154 4 154 35] Equisat0.equisat ( * self) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 155 4 155 48] UInt64.to_int result = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * self))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 156 4 156 53] Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ self))) (UInt64.to_int result) = clause }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 157 4 157 69] Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * self))) + 1 = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ self))) }
-    
-   =
-  var _0 : usize;
-  var self_1 : borrowed (Type.creusat_formula_formula);
-  var clause_2 : Type.creusat_clause_clause;
-  var watches_3 : borrowed (Type.creusat_watches_watches);
-  var _t_4 : Type.creusat_trail_trail;
-  ghost var old_self_5 : borrowed (Type.creusat_formula_formula);
-  var _6 : ();
-  var cref_7 : usize;
-  var _8 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _9 : ();
-  var _10 : borrowed (Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global));
-  var _11 : Type.creusat_clause_clause;
-  var _12 : ();
-  var _13 : ();
-  {
-    self_1 <- self;
-    clause_2 <- clause;
-    watches_3 <- watches;
-    _t_4 <- _t;
-    goto BB0
-  }
-  BB0 {
-    assume { Resolve0.resolve watches_3 };
-    goto BB1
-  }
-  BB1 {
-    goto BB2
-  }
-  BB2 {
-    goto BB3
-  }
-  BB3 {
-    goto BB4
-  }
-  BB4 {
-    _6 <- ();
-    old_self_5 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 159 23 159 38] self_1);
-    goto BB5
-  }
-  BB5 {
-    _8 <- Type.creusat_formula_formula_Formula_clauses ( * self_1);
-    cref_7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 160 19 160 37] Len0.len _8);
-    goto BB6
-  }
-  BB6 {
-    _10 <- borrow_mut (Type.creusat_formula_formula_Formula_clauses ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Formula_Formula a b =  * self_1 in Type.CreuSat_Formula_Formula ( ^ _10) b) };
-    _11 <- clause_2;
-    _9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 161 8 161 33] Push0.push _10 _11);
-    goto BB7
-  }
-  BB7 {
-    assume { Resolve1.resolve self_1 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 162 8 162 57] EquisatCompatible0.equisat_compatible ( * old_self_5) ( * self_1) };
-    _12 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 163 8 163 56] TrailInvariant0.trail_invariant (Model3.model (Type.creusat_trail_trail_Trail_trail _t_4)) ( * self_1) };
-    _13 <- ();
-    _0 <- cref_7;
-    goto BB8
-  }
-  BB8 {
-    return _0
-  }
-  
-end
-module CreuSat_Formula_Impl2_AddUnit_Interface
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use mach.int.UInt64
-  use prelude.Prelude
-  use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model2 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
-  clone CreuSat_Logic_LogicFormula_Impl1_EquisatCompatible_Interface as EquisatCompatible0
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner_Interface as EquisatExtensionInner0
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model1 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner_Interface as NoDuplicateIndexesInner0
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner_Interface as VarsInRangeInner0
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val add_unit [@cfg:stackify] (self : borrowed (Type.creusat_formula_formula)) (clause : Type.creusat_clause_clause) (_t : Type.creusat_trail_trail) : usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 168 4 168 40] Invariant0.invariant' ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 169 4 169 40] Invariant1.invariant' _t ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 170 4 170 37] Seq.length (Model0.model clause) = 1}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 171 4 171 49] Invariant2.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 172 4 172 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 173 4 173 61] VarsInRangeInner0.vars_in_range_inner (Model0.model clause) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 174 4 174 52] NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model0.model clause)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 175 4 175 55] EquisatExtensionInner0.equisat_extension_inner clause (Model1.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 168 4 168 40] Invariant0.invariant' ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 169 4 169 40] Invariant1.invariant' _t ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 176 4 176 51] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ self)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 177 4 177 46] EquisatCompatible0.equisat_compatible ( * self) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 178 4 178 35] Equisat0.equisat ( * self) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 179 4 179 48] UInt64.to_int result = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * self))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 180 4 180 57] Seq.length (Model0.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ self))) (UInt64.to_int result))) = 1 }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 181 4 181 69] Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * self))) + 1 = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ self))) }
-    
-end
-module CreuSat_Formula_Impl2_AddUnit
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use mach.int.UInt64
-  use prelude.Prelude
-  use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model7 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant4 with function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model3 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model1 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model3.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model7.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant3 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant3.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model0 with function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicClause_Impl2_Equals as Equals0 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicFormula_Compatible as Compatible0 with predicate Equals0.equals = Equals0.equals
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model0.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner0 with function Model0.model = Model2.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss1 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss1.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Logic_LogicFormula_Equisat as Equisat1 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicFormula_EquisatCompatibleInner as EquisatCompatibleInner0 with predicate Compatible0.compatible = Compatible0.compatible,
-  predicate Equisat0.equisat = Equisat1.equisat
-  clone CreuSat_Logic_LogicFormula_Impl1_EquisatCompatible as EquisatCompatible0 with function Model0.model = Model3.model,
-  predicate EquisatCompatibleInner0.equisat_compatible_inner = EquisatCompatibleInner0.equisat_compatible_inner
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant6 with function Model0.model = Model2.model,
-  function Model1.model = Model0.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant5 with predicate Invariant0.invariant' = Invariant3.invariant',
-  predicate Invariant1.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner1.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model2.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model2.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model2.model,
-  function Model1.model = Model0.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant2 with function Model0.model = Model0.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant2.invariant',
-  function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model2.model,
-  predicate Invariant0.invariant' = Invariant2.invariant', function Model1.model = Model0.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model3.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model5.model,
-  function Model1.model = Model7.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model5.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model5.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model4.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model7.model,
-  function Model1.model = Model5.model, predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model2.model = Model4.model, function Model3.model = Model2.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model0.model = Model5.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model4.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model7.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model4.model, function Model1.model = Model5.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_formula_formula
-  clone Alloc_Vec_Impl1_Push_Interface as Push0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, function Model0.model = Model2.model
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, function Model0.model = Model2.model
-  let rec cfg add_unit [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 182 4 182 67] (self : borrowed (Type.creusat_formula_formula)) (clause : Type.creusat_clause_clause) (_t : Type.creusat_trail_trail) : usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 168 4 168 40] Invariant0.invariant' ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 169 4 169 40] Invariant1.invariant' _t ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 170 4 170 37] Seq.length (Model0.model clause) = 1}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 171 4 171 49] Invariant2.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 172 4 172 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 173 4 173 61] VarsInRangeInner0.vars_in_range_inner (Model0.model clause) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 174 4 174 52] NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model0.model clause)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 175 4 175 55] EquisatExtensionInner0.equisat_extension_inner clause (Model1.model self)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 168 4 168 40] Invariant0.invariant' ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 169 4 169 40] Invariant1.invariant' _t ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 176 4 176 51] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ self)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 177 4 177 46] EquisatCompatible0.equisat_compatible ( * self) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 178 4 178 35] Equisat0.equisat ( * self) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 179 4 179 48] UInt64.to_int result = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * self))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 180 4 180 57] Seq.length (Model0.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ self))) (UInt64.to_int result))) = 1 }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 181 4 181 69] Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * self))) + 1 = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ self))) }
-    
-   =
-  var _0 : usize;
-  var self_1 : borrowed (Type.creusat_formula_formula);
-  var clause_2 : Type.creusat_clause_clause;
-  var _t_3 : Type.creusat_trail_trail;
-  ghost var old_self_4 : borrowed (Type.creusat_formula_formula);
-  var _5 : ();
-  var cref_6 : usize;
-  var _7 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _8 : ();
-  var _9 : borrowed (Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global));
-  var _10 : Type.creusat_clause_clause;
-  var _11 : ();
-  {
-    self_1 <- self;
-    clause_2 <- clause;
-    _t_3 <- _t;
-    goto BB0
-  }
-  BB0 {
-    goto BB1
-  }
-  BB1 {
-    goto BB2
-  }
-  BB2 {
-    goto BB3
-  }
-  BB3 {
-    goto BB4
-  }
-  BB4 {
-    goto BB5
-  }
-  BB5 {
-    _5 <- ();
-    old_self_4 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 183 23 183 38] self_1);
-    goto BB6
-  }
-  BB6 {
-    _7 <- Type.creusat_formula_formula_Formula_clauses ( * self_1);
-    cref_6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 184 19 184 37] Len0.len _7);
-    goto BB7
-  }
-  BB7 {
-    _9 <- borrow_mut (Type.creusat_formula_formula_Formula_clauses ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Formula_Formula a b =  * self_1 in Type.CreuSat_Formula_Formula ( ^ _9) b) };
-    _10 <- clause_2;
-    _8 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 185 8 185 33] Push0.push _9 _10);
-    goto BB8
-  }
-  BB8 {
-    assume { Resolve0.resolve self_1 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 186 8 186 57] EquisatCompatible0.equisat_compatible ( * old_self_4) ( * self_1) };
-    _11 <- ();
-    _0 <- cref_6;
-    goto BB9
-  }
-  BB9 {
-    return _0
-  }
-  
-end
-module CreuSat_Logic_LogicFormula_Impl1_Sat_Interface
-  use Type
-  predicate sat (self : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
-end
-module CreuSat_Logic_LogicFormula_Impl1_Sat
-  use Type
-  clone CreuSat_Logic_LogicFormula_FormulaSatInner_Interface as FormulaSatInner0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model1
-  clone CreuSat_Logic_LogicFormula_Impl0_Model_Interface as Model0
-  predicate sat [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 150 4 150 44] (self : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 151 8 151 50] FormulaSatInner0.formula_sat_inner (Model0.model self) (Model1.model a)
-end
-module CreuSat_Formula_Impl2_IsSat_Interface
-  use prelude.Prelude
-  use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_Sat_Interface as Sat0
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val is_sat [@cfg:stackify] (self : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 192 4 192 33] Invariant0.invariant' self}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 193 4 193 35] Invariant1.invariant' a self}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 194 4 194 38] result = Sat0.sat self a }
-    
-end
-module CreuSat_Formula_Impl2_IsSat
-  use prelude.Prelude
-  use Type
-  use mach.int.Int
-  use mach.int.Int32
-  use mach.int.UInt64
-  use seq.Seq
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant3 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant3.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model3 with function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant2 with function Model0.model = Model3.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant2.invariant',
-  function Model0.model = Model3.model
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner0 with function Model0.model = Model3.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model2 with function Model0.model = Model4.model
-  clone CreuSat_Logic_LogicClause_Impl2_Sat as Sat1 with function Model0.model = Model2.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant1 with function Model0.model = Model2.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model1 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Sat as Sat0 with function Model0.model = Model1.model,
-  function Model1.model = Model2.model,
-  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model0.model,
-  predicate Invariant0.invariant' = Invariant2.invariant', function Model1.model = Model3.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model1.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, function Model0.model = Model0.model
-  clone CreuSat_Formula_Impl2_IsClauseSat_Interface as IsClauseSat0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', function Model0.model = Model0.model,
-  predicate Sat0.sat = Sat1.sat, predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg is_sat [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 195 4 195 49] (self : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 192 4 192 33] Invariant0.invariant' self}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 193 4 193 35] Invariant1.invariant' a self}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 194 4 194 38] result = Sat0.sat self a }
-    
-   =
-  var _0 : bool;
-  var self_1 : Type.creusat_formula_formula;
-  var a_2 : Type.creusat_assignments_assignments;
-  var i_3 : usize;
-  var _4 : ();
-  var _5 : ();
-  var _6 : bool;
-  var _7 : usize;
-  var _8 : usize;
-  var _9 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _10 : ();
-  var _11 : bool;
-  var _12 : bool;
-  var _13 : Type.creusat_formula_formula;
-  var _14 : usize;
-  var _15 : Type.creusat_assignments_assignments;
-  var _16 : ();
-  var _17 : ();
-  var _18 : ();
-  var _19 : ();
-  {
-    self_1 <- self;
-    a_2 <- a;
-    goto BB0
-  }
-  BB0 {
-    i_3 <- (0 : usize);
-    goto BB1
-  }
-  BB1 {
-    invariant prev { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 197 8 197 90] forall k : (int) . 0 <= k && k < UInt64.to_int i_3 -> Sat1.sat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses self_1)) k) a_2 };
-    _7 <- i_3;
-    _9 <- Type.creusat_formula_formula_Formula_clauses self_1;
-    _8 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 198 18 198 36] Len0.len _9);
-    goto BB2
-  }
-  BB2 {
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 198 14 198 36] _7 < _8);
-    switch (_6)
-      | False -> goto BB7
-      | _ -> goto BB3
-      end
-  }
-  BB3 {
-    _13 <- self_1;
-    _14 <- i_3;
-    _15 <- a_2;
-    _12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 199 16 199 40] IsClauseSat0.is_clause_sat _13 _14 _15);
-    goto BB4
-  }
-  BB4 {
-    _11 <- not _12;
-    switch (_11)
-      | False -> goto BB6
-      | _ -> goto BB5
-      end
-  }
-  BB5 {
-    _0 <- false;
-    goto BB8
-  }
-  BB6 {
-    _10 <- ();
-    i_3 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 202 12 202 18] i_3 + (1 : usize));
-    _5 <- ();
-    goto BB1
-  }
-  BB7 {
-    _4 <- ();
-    _0 <- true;
-    goto BB8
-  }
-  BB8 {
-    return _0
-  }
-  
-end
-module CreuSat_Logic_LogicWatches_WatcherCrefsInRange_Interface
-  use seq.Seq
-  use Type
-  predicate watcher_crefs_in_range (w : Seq.seq (Type.creusat_watches_watcher)) (f : Type.creusat_formula_formula)
-end
-module CreuSat_Logic_LogicWatches_WatcherCrefsInRange
-  use seq.Seq
-  use Type
-  use mach.int.Int
-  use mach.int.Int32
-  use mach.int.UInt64
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  predicate watcher_crefs_in_range [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 35 0 35 66] (w : Seq.seq (Type.creusat_watches_watcher)) (f : Type.creusat_formula_formula)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 36 4 39 5] forall j : (int) . 0 <= j && j < Seq.length w -> UInt64.to_int (Type.creusat_watches_watcher_Watcher_cref (Seq.get w j)) < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))
-end
-module CreuSat_Logic_LogicUtil_Pop_Interface
-  type t
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use seq_ext.SeqExt
-  function pop (s : Seq.seq t) : Seq.seq t
-end
-module CreuSat_Logic_LogicUtil_Pop
-  type t
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use seq_ext.SeqExt
-  function pop [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 68 0 68 34] (s : Seq.seq t) : Seq.seq t =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 69 4 71 5] SeqExt.subsequence s 0 (Seq.length s - 1)
-  axiom pop_spec : forall s : Seq.seq t . ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 64 0 64 24] Seq.length s > 0) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 67 0 67 75] forall i : (int) . 0 <= i && i < Seq.length (pop s) -> Seq.get (pop s) i = Seq.get s i) && ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 66 0 66 39] Seq.length (pop s) = Seq.length s - 1) && ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 65 0 65 51] pop s = SeqExt.subsequence s 0 (Seq.length s - 1))
-end
-module CreuSat_Logic_LogicUtil_Pop_Impl
-  type t
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use seq_ext.SeqExt
-  let rec ghost function pop (s : Seq.seq t) : Seq.seq t
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 64 0 64 24] Seq.length s > 0}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 65 0 65 51] result = SeqExt.subsequence s 0 (Seq.length s - 1) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 66 0 66 39] Seq.length result = Seq.length s - 1 }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 67 0 67 75] forall i : (int) . 0 <= i && i < Seq.length result -> Seq.get result i = Seq.get s i }
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 69 4 71 5] SeqExt.subsequence s 0 (Seq.length s - 1)
-end
-module CreuSat_Logic_LogicWatches_LemmaPopWatchMaintainsWatcherInvariant_Interface
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use Type
-  clone CreuSat_Logic_LogicUtil_Pop_Interface as Pop0 with type t = Type.creusat_watches_watcher, axiom .
-  clone CreuSat_Logic_LogicWatches_WatcherCrefsInRange_Interface as WatcherCrefsInRange0
-  function lemma_pop_watch_maintains_watcher_invariant (w : Seq.seq (Type.creusat_watches_watcher)) (f : Type.creusat_formula_formula) : ()
-    
-end
-module CreuSat_Logic_LogicWatches_LemmaPopWatchMaintainsWatcherInvariant
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use Type
-  clone CreuSat_Logic_LogicUtil_Pop_Interface as Pop0 with type t = Type.creusat_watches_watcher, axiom .
-  clone CreuSat_Logic_LogicWatches_WatcherCrefsInRange_Interface as WatcherCrefsInRange0
-  function lemma_pop_watch_maintains_watcher_invariant [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 55 0 55 79] (w : Seq.seq (Type.creusat_watches_watcher)) (f : Type.creusat_formula_formula) : ()
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 50 0 50 8] ()
-  axiom lemma_pop_watch_maintains_watcher_invariant_spec : forall w : Seq.seq (Type.creusat_watches_watcher), f : Type.creusat_formula_formula . ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 52 0 52 24] Seq.length w > 0) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 53 0 53 41] WatcherCrefsInRange0.watcher_crefs_in_range w f) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 54 0 54 45] WatcherCrefsInRange0.watcher_crefs_in_range (Pop0.pop w) f)
-end
-module CreuSat_Logic_LogicWatches_LemmaPopWatchMaintainsWatcherInvariant_Impl
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use Type
-  clone CreuSat_Logic_LogicUtil_Pop as Pop0 with type t = Type.creusat_watches_watcher, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_WatcherCrefsInRange as WatcherCrefsInRange0 with function Model0.model = Model0.model
-  let rec ghost function lemma_pop_watch_maintains_watcher_invariant (w : Seq.seq (Type.creusat_watches_watcher)) (f : Type.creusat_formula_formula) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 52 0 52 24] Seq.length w > 0}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 53 0 53 41] WatcherCrefsInRange0.watcher_crefs_in_range w f}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 54 0 54 45] WatcherCrefsInRange0.watcher_crefs_in_range (Pop0.pop w) f }
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 50 0 50 8] ()
-end
-module CreuSat_Watches_Impl0_Unwatch_Interface
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use seq.Seq
-  use Type
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant0
-  val unwatch [@cfg:stackify] (self : borrowed (Type.creusat_watches_watches)) (f : Type.creusat_formula_formula) (trail : Type.creusat_trail_trail) (cref : usize) (lit : Type.creusat_lit_lit) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 155 4 155 42] Invariant0.invariant' ( * self) f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 156 4 156 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 157 4 157 48] IndexLogic0.index_logic lit < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 158 4 158 30] Invariant1.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 159 4 159 36] Invariant2.invariant' trail f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 160 4 160 43] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 161 4 161 50] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) >= 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 155 4 155 42] Invariant0.invariant' ( ^ self) f }
-    
-end
-module CreuSat_Watches_Impl0_Unwatch
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use seq.Seq
-  use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model8 with function Model0.model = Model9.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant4 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreuSat_Logic_LogicUtil_Pop as Pop0 with type t = Type.creusat_watches_watcher, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model7.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant7 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model4 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicWatches_WatcherCrefsInRange as WatcherCrefsInRange0 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicWatches_LemmaPopWatchMaintainsWatcherInvariant as LemmaPopWatchMaintainsWatcherInvariant0 with predicate WatcherCrefsInRange0.watcher_crefs_in_range = WatcherCrefsInRange0.watcher_crefs_in_range,
-  function Pop0.pop = Pop0.pop, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model5.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model6.model,
-  function Model1.model = Model8.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model8.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant6 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant3 with function Model0.model = Model1.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant3.invariant',
-  function Model0.model = Model1.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model0.model,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model1.model = Model1.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model4.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant5 with predicate Invariant0.invariant' = Invariant6.invariant',
-  predicate Invariant1.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model6.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model6.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model8.model,
-  function Model1.model = Model6.model, predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model2.model = Model5.model, function Model3.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model0.model = Model6.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model5.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model8.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant2 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model5.model, function Model1.model = Model6.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model3.model,
-  function Model1.model = Model0.model, function Model2.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant0 with function Model0.model = Model2.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  use mach.int.Int64
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_watches_watches
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = seq (Type.creusat_watches_watcher)
-  clone CreusotContracts_Std1_Slice_Impl0_Model as Model10 with type t = Type.creusat_watches_watcher, axiom .
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = Type.creusat_watches_watcher
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model11 with type t = seq (Type.creusat_watches_watcher),
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model10.model
-  clone Core_Slice_Impl0_Swap_Interface as Swap0 with type t = Type.creusat_watches_watcher,
-  function Model0.model = Model11.model, function Model1.model = Model10.model
-  clone Core_Slice_Index_Impl2_Output as Output1 with type t = Type.creusat_watches_watcher
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue1 with type t = Type.creusat_watches_watcher
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds1 with type t = Type.creusat_watches_watcher
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone Alloc_Vec_Impl1_Pop_Interface as Pop1 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, function Model0.model = Model3.model
-  clone Alloc_Vec_Impl11_DerefMut_Interface as DerefMut0 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, function Model0.model = Model10.model, function Model1.model = Model3.model
-  clone Alloc_Vec_Impl16_Index_Interface as Index1 with type t = Type.creusat_watches_watcher, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model3.model,
-  predicate InBounds0.in_bounds = InBounds1.in_bounds, predicate HasValue0.has_value = HasValue1.has_value,
-  type Output0.output = Output1.output
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, function Model0.model = Model3.model
-  clone CreuSat_Logic_LogicLit_Impl0_ToNegWatchidxLogic as ToNegWatchidxLogic0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Lit_Impl1_ToNegWatchidx_Interface as ToNegWatchidx0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function ToNegWatchidxLogic0.to_neg_watchidx_logic = ToNegWatchidxLogic0.to_neg_watchidx_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type i = usize, type a = Type.alloc_alloc_global, function Model0.model = Model2.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type i = usize, type a = Type.alloc_alloc_global, function Model0.model = Model2.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  let rec cfg unwatch [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 162 4 162 80] (self : borrowed (Type.creusat_watches_watches)) (f : Type.creusat_formula_formula) (trail : Type.creusat_trail_trail) (cref : usize) (lit : Type.creusat_lit_lit) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 155 4 155 42] Invariant0.invariant' ( * self) f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 156 4 156 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 157 4 157 48] IndexLogic0.index_logic lit < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 158 4 158 30] Invariant1.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 159 4 159 36] Invariant2.invariant' trail f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 160 4 160 43] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 161 4 161 50] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) >= 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 155 4 155 42] Invariant0.invariant' ( ^ self) f }
-    
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_watches_watches);
-  var f_2 : Type.creusat_formula_formula;
-  var trail_3 : Type.creusat_trail_trail;
-  var cref_4 : usize;
-  var lit_5 : Type.creusat_lit_lit;
-  var watchidx_6 : usize;
-  var _7 : Type.creusat_lit_lit;
-  var i_8 : usize;
-  var _9 : ();
-  var _10 : bool;
-  var _11 : usize;
-  var _12 : usize;
-  var _13 : Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global);
-  var _14 : Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global);
-  var _15 : Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global);
-  var _16 : usize;
-  var _17 : ();
-  var _18 : bool;
-  var _19 : usize;
-  var _20 : Type.creusat_watches_watcher;
-  var _21 : Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global);
-  var _22 : Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global);
-  var _23 : Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global);
-  var _24 : usize;
-  var _25 : usize;
-  var _26 : usize;
-  var _27 : ();
-  var end'_28 : usize;
-  var _29 : usize;
-  var _30 : Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global);
-  var _31 : Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global);
-  var _32 : Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global);
-  var _33 : usize;
-  var _34 : ();
-  var _35 : borrowed (seq (Type.creusat_watches_watcher));
-  var _36 : borrowed (seq (Type.creusat_watches_watcher));
-  var _37 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _38 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _39 : borrowed (Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global));
-  var _40 : usize;
-  var _41 : usize;
-  var _42 : usize;
-  ghost var old_w_43 : borrowed (Type.creusat_watches_watches);
-  var _44 : ();
-  var _45 : ();
-  var _46 : Type.core_option_option (Type.creusat_watches_watcher);
-  var _47 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _48 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _49 : borrowed (Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global));
-  var _50 : usize;
-  var _51 : isize;
-  var w_52 : Type.creusat_watches_watcher;
-  var _53 : ();
-  var _54 : ();
-  var _55 : ();
-  var _56 : ();
-  var _57 : ();
-  var _58 : ();
-  var _59 : ();
-  var _60 : ();
-  var _61 : ();
-  var _62 : ();
-  var _63 : ();
-  {
-    self_1 <- self;
-    f_2 <- f;
-    trail_3 <- trail;
-    cref_4 <- cref;
-    lit_5 <- lit;
-    goto BB0
-  }
-  BB0 {
-    _7 <- lit_5;
-    watchidx_6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 163 23 163 44] ToNegWatchidx0.to_neg_watchidx _7);
-    goto BB1
-  }
-  BB1 {
-    i_8 <- (0 : usize);
-    goto BB2
-  }
-  BB2 {
-    invariant self_inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 165 8 165 50] Invariant0.invariant' ( * self_1) f_2 };
-    _11 <- i_8;
-    _15 <- Type.creusat_watches_watches_Watches_watches ( * self_1);
-    _16 <- watchidx_6;
-    _14 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 166 18 166 40] Index0.index _15 _16);
-    goto BB3
-  }
-  BB3 {
-    _13 <- _14;
-    _12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 166 18 166 46] Len0.len _13);
-    goto BB4
-  }
-  BB4 {
-    _10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 166 14 166 46] _11 < _12);
-    switch (_10)
-      | False -> goto BB21
-      | _ -> goto BB5
-      end
-  }
-  BB5 {
-    _23 <- Type.creusat_watches_watches_Watches_watches ( * self_1);
-    _24 <- watchidx_6;
-    _22 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 167 15 167 37] Index0.index _23 _24);
-    goto BB6
-  }
-  BB6 {
-    _21 <- _22;
-    _25 <- i_8;
-    _20 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 167 15 167 40] Index1.index _21 _25);
-    goto BB7
-  }
-  BB7 {
-    _19 <- Type.creusat_watches_watcher_Watcher_cref _20;
-    _26 <- cref_4;
-    _18 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 167 15 167 53] _19 = _26);
-    switch (_18)
-      | False -> goto BB20
-      | _ -> goto BB8
-      end
-  }
-  BB8 {
-    _32 <- Type.creusat_watches_watches_Watches_watches ( * self_1);
-    _33 <- watchidx_6;
-    _31 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 168 26 168 48] Index0.index _32 _33);
-    goto BB9
-  }
-  BB9 {
-    _30 <- _31;
-    _29 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 168 26 168 54] Len0.len _30);
-    goto BB10
-  }
-  BB10 {
-    end'_28 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 168 26 168 58] _29 - (1 : usize));
-    _39 <- borrow_mut (Type.creusat_watches_watches_Watches_watches ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Watches_Watches a =  * self_1 in Type.CreuSat_Watches_Watches ( ^ _39)) };
-    _40 <- watchidx_6;
-    _38 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 169 16 169 38] IndexMut0.index_mut _39 _40);
-    goto BB11
-  }
-  BB11 {
-    _37 <- borrow_mut ( * _38);
-    _38 <- { _38 with current = ( ^ _37) };
-    assume { Resolve0.resolve _38 };
-    _36 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 169 16 169 51] DerefMut0.deref_mut _37);
-    goto BB12
-  }
-  BB12 {
-    _35 <- borrow_mut ( * _36);
-    _36 <- { _36 with current = ( ^ _35) };
-    _41 <- i_8;
-    _42 <- end'_28;
-    _34 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 169 16 169 51] Swap0.swap _35 _41 _42);
-    goto BB13
-  }
-  BB13 {
-    assume { Resolve1.resolve _36 };
-    _44 <- ();
-    old_w_43 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 170 28 170 43] self_1);
-    goto BB14
-  }
-  BB14 {
-    _49 <- borrow_mut (Type.creusat_watches_watches_Watches_watches ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Watches_Watches a =  * self_1 in Type.CreuSat_Watches_Watches ( ^ _49)) };
-    assume { Resolve2.resolve self_1 };
-    _50 <- watchidx_6;
-    _48 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 171 22 171 44] IndexMut0.index_mut _49 _50);
-    goto BB15
-  }
-  BB15 {
-    _47 <- borrow_mut ( * _48);
-    _48 <- { _48 with current = ( ^ _47) };
-    _46 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 171 22 171 50] Pop1.pop _47);
-    goto BB16
-  }
-  BB16 {
-    assume { Resolve0.resolve _48 };
-    switch (_46)
-      | Type.Core_Option_Option_None -> goto BB17
-      | Type.Core_Option_Option_Some _ -> goto BB19
-      end
-  }
-  BB17 {
-    absurd
-  }
-  BB18 {
-    absurd
-  }
-  BB19 {
-    w_52 <- Type.core_option_option_Some_0 _46;
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 173 24 173 62]  ^ old_w_43 =  ^ self_1 };
-    _53 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 174 24 174 122] let _ = LemmaPopWatchMaintainsWatcherInvariant0.lemma_pop_watch_maintains_watcher_invariant (Model3.model (Seq.get (Model2.model (Type.creusat_watches_watches_Watches_watches ( * old_w_43))) (UInt64.to_int watchidx_6))) f_2 in true };
-    _54 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 175 24 175 100] WatcherCrefsInRange0.watcher_crefs_in_range (Pop0.pop (Model3.model (Seq.get (Model2.model (Type.creusat_watches_watches_Watches_watches ( * old_w_43))) (UInt64.to_int watchidx_6)))) f_2 };
-    _55 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 176 24 176 103] Model3.model (Seq.get (Model2.model (Type.creusat_watches_watches_Watches_watches ( * self_1))) (UInt64.to_int watchidx_6)) = Pop0.pop (Model3.model (Seq.get (Model2.model (Type.creusat_watches_watches_Watches_watches ( * old_w_43))) (UInt64.to_int watchidx_6))) };
-    _56 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 177 24 177 94] WatcherCrefsInRange0.watcher_crefs_in_range (Model3.model (Seq.get (Model2.model (Type.creusat_watches_watches_Watches_watches ( * self_1))) (UInt64.to_int watchidx_6))) f_2 };
-    _57 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 178 24 178 57] Invariant0.invariant' ( * self_1) f_2 };
-    _58 <- ();
-    _45 <- ();
-    _0 <- ();
-    goto BB22
-  }
-  BB20 {
-    _17 <- ();
-    i_8 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 186 12 186 18] i_8 + (1 : usize));
-    _9 <- ();
-    goto BB2
-  }
-  BB21 {
-    assume { Resolve2.resolve self_1 };
-    _0 <- ();
-    goto BB22
-  }
-  BB22 {
-    return _0
-  }
-  
-end
-module CreuSat_Formula_Impl2_DeleteClause_Interface
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use seq.Seq
-  use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant0
-  val delete_clause [@cfg:stackify] (self : borrowed (Type.creusat_formula_formula)) (cref : usize) (watches : borrowed (Type.creusat_watches_watches)) (t : Type.creusat_trail_trail) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 208 4 208 51] Invariant0.invariant' ( * watches) ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 209 4 209 40] Invariant1.invariant' ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 210 4 210 42] Invariant2.invariant' t ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 211 4 211 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 212 4 212 52] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * self))) (UInt64.to_int cref))) > 1}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 213 4 213 46] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * self)))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 208 4 208 51] Invariant0.invariant' ( ^ watches) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 209 4 209 40] Invariant1.invariant' ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 210 4 210 42] Invariant2.invariant' t ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 214 4 214 35] Equisat0.equisat ( * self) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 215 4 215 49] Type.creusat_formula_formula_Formula_num_vars ( * self) = Type.creusat_formula_formula_Formula_num_vars ( ^ self) }
-    
-end
-module CreuSat_Formula_Impl2_DeleteClause
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use seq.Seq
-  use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model8 with function Model0.model = Model9.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant4 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model8.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant6 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model1.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner1.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant3 with function Model0.model = Model1.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant3.invariant',
-  function Model0.model = Model1.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant7 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant5 with predicate Invariant0.invariant' = Invariant6.invariant',
-  predicate Invariant1.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner0 with function Model0.model = Model0.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model3 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model0.model,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model1.model = Model1.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model3.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model7.model,
-  function Model1.model = Model0.model, function Model2.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model5.model,
-  function Model1.model = Model8.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model5.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model5.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model4.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model8.model,
-  function Model1.model = Model5.model, predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model2.model = Model4.model, function Model3.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model0.model = Model5.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model4.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model8.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant2 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model4.model, function Model1.model = Model5.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant0 with function Model0.model = Model2.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_formula_formula
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_watches_watches
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy1
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = Type.creusat_clause_clause
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model10 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Clause_Impl0_Index_Interface as Index1 with function Model0.model = Model10.model
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = Type.creusat_clause_clause, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model0.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = Type.creusat_clause_clause, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model0.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  clone CreuSat_Watches_Impl0_Unwatch_Interface as Unwatch0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate Invariant1.invariant' = Invariant1.invariant',
-  predicate Invariant2.invariant' = Invariant2.invariant', function Model0.model = Model0.model,
-  function Model1.model = Model1.model, predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg delete_clause [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 216 4 216 78] (self : borrowed (Type.creusat_formula_formula)) (cref : usize) (watches : borrowed (Type.creusat_watches_watches)) (t : Type.creusat_trail_trail) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 208 4 208 51] Invariant0.invariant' ( * watches) ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 209 4 209 40] Invariant1.invariant' ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 210 4 210 42] Invariant2.invariant' t ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 211 4 211 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 212 4 212 52] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * self))) (UInt64.to_int cref))) > 1}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 213 4 213 46] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * self)))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 208 4 208 51] Invariant0.invariant' ( ^ watches) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 209 4 209 40] Invariant1.invariant' ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 210 4 210 42] Invariant2.invariant' t ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 214 4 214 35] Equisat0.equisat ( * self) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 215 4 215 49] Type.creusat_formula_formula_Formula_num_vars ( * self) = Type.creusat_formula_formula_Formula_num_vars ( ^ self) }
-    
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_formula_formula);
-  var cref_2 : usize;
-  var watches_3 : borrowed (Type.creusat_watches_watches);
-  var t_4 : Type.creusat_trail_trail;
-  ghost var old_f_5 : borrowed (Type.creusat_formula_formula);
-  var _6 : ();
-  var _7 : ();
-  var _8 : borrowed (Type.creusat_watches_watches);
-  var _9 : Type.creusat_formula_formula;
-  var _10 : Type.creusat_trail_trail;
-  var _11 : usize;
-  var _12 : Type.creusat_lit_lit;
-  var _13 : Type.creusat_lit_lit;
-  var _14 : Type.creusat_clause_clause;
-  var _15 : Type.creusat_clause_clause;
-  var _16 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _17 : usize;
-  var _18 : ();
-  var _19 : borrowed (Type.creusat_watches_watches);
-  var _20 : Type.creusat_formula_formula;
-  var _21 : Type.creusat_trail_trail;
-  var _22 : usize;
-  var _23 : Type.creusat_lit_lit;
-  var _24 : Type.creusat_lit_lit;
-  var _25 : Type.creusat_clause_clause;
-  var _26 : Type.creusat_clause_clause;
-  var _27 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _28 : usize;
-  var _29 : borrowed (Type.creusat_clause_clause);
-  var _30 : borrowed (Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global));
-  var _31 : usize;
-  var _32 : ();
-  var _33 : ();
-  var _34 : ();
-  {
-    self_1 <- self;
-    cref_2 <- cref;
-    watches_3 <- watches;
-    t_4 <- t;
-    goto BB0
-  }
-  BB0 {
-    _6 <- ();
-    old_f_5 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 217 20 217 35] self_1);
-    goto BB1
-  }
-  BB1 {
-    _8 <- borrow_mut ( * watches_3);
-    watches_3 <- { watches_3 with current = ( ^ _8) };
-    _9 <-  * self_1;
-    _10 <- t_4;
-    _11 <- cref_2;
-    _16 <- Type.creusat_formula_formula_Formula_clauses ( * self_1);
-    _17 <- cref_2;
-    _15 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 218 39 218 57] Index0.index _16 _17);
-    goto BB2
-  }
-  BB2 {
-    _14 <- _15;
-    _13 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 218 39 218 60] Index1.index _14 (0 : usize));
-    goto BB3
-  }
-  BB3 {
-    _12 <- _13;
-    _7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 218 8 218 61] Unwatch0.unwatch _8 _9 _10 _11 _12);
-    goto BB4
-  }
-  BB4 {
-    _19 <- borrow_mut ( * watches_3);
-    watches_3 <- { watches_3 with current = ( ^ _19) };
-    _20 <-  * self_1;
-    _21 <- t_4;
-    _22 <- cref_2;
-    _27 <- Type.creusat_formula_formula_Formula_clauses ( * self_1);
-    _28 <- cref_2;
-    _26 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 219 39 219 57] Index0.index _27 _28);
-    goto BB5
-  }
-  BB5 {
-    _25 <- _26;
-    _24 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 219 39 219 60] Index1.index _25 (1 : usize));
-    goto BB6
-  }
-  BB6 {
-    _23 <- _24;
-    _18 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 219 8 219 61] Unwatch0.unwatch _19 _20 _21 _22 _23);
-    goto BB7
-  }
-  BB7 {
-    assume { Resolve0.resolve watches_3 };
-    _30 <- borrow_mut (Type.creusat_formula_formula_Formula_clauses ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Formula_Formula a b =  * self_1 in Type.CreuSat_Formula_Formula ( ^ _30) b) };
-    assume { Resolve1.resolve self_1 };
-    _31 <- cref_2;
-    _29 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 220 8 220 26] IndexMut0.index_mut _30 _31);
-    goto BB8
-  }
-  BB8 {
-    _29 <- { _29 with current = (let Type.CreuSat_Clause_Clause a b c d =  * _29 in Type.CreuSat_Clause_Clause true b c d) };
-    assume { Resolve2.resolve _29 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 221 8 222 74] forall i : (int) . 0 <= i && i < Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * self_1))) (UInt64.to_int cref_2))) -> Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * self_1))) (UInt64.to_int cref_2))) i = Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * old_f_5))) (UInt64.to_int cref_2))) i };
-    _32 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 223 8 223 43] Equisat0.equisat ( * old_f_5) ( * self_1) };
-    _33 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 224 8 224 46]  ^ self_1 =  ^ old_f_5 };
-    _34 <- ();
-    _0 <- ();
-    return _0
-  }
-  
-end
-module CreuSat_Formula_Impl2_DeleteClauses_Interface
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val delete_clauses [@cfg:stackify] (self : borrowed (Type.creusat_formula_formula)) (watches : borrowed (Type.creusat_watches_watches)) (t : Type.creusat_trail_trail) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 229 4 229 40] Invariant0.invariant' ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 230 4 230 51] Invariant1.invariant' ( * watches) ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 231 4 231 42] Invariant2.invariant' t ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 232 4 232 35] Invariant2.invariant' t ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 233 4 233 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 229 4 229 40] Invariant0.invariant' ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 230 4 230 51] Invariant1.invariant' ( ^ watches) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 231 4 231 42] Invariant2.invariant' t ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 234 4 234 49] Type.creusat_formula_formula_Formula_num_vars ( * self) = Type.creusat_formula_formula_Formula_num_vars ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 235 4 235 35] Equisat0.equisat ( * self) ( ^ self) }
-    
-end
-module CreuSat_Formula_Impl2_DeleteClauses
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model6 with function Model0.model = Model9.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model4 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant3 with function Model0.model = Model4.model
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model6.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner1.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model4.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant6 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant4 with function Model0.model = Model6.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant4.invariant',
-  function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant7 with function Model0.model = Model5.model,
-  function Model1.model = Model6.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant5 with predicate Invariant0.invariant' = Invariant6.invariant',
-  predicate Invariant1.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model5.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner0 with function Model0.model = Model5.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model5.model,
-  function Model1.model = Model6.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model7.model,
-  function Model1.model = Model5.model, function Model2.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model0 with function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model5.model,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model1.model = Model6.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model0.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model3.model,
-  function Model1.model = Model4.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model3.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model3.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model2.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model4.model,
-  function Model1.model = Model3.model, predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model2.model = Model2.model, function Model3.model = Model5.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model0.model = Model3.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model2.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model4.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant2 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model2.model, function Model1.model = Model3.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant1 with function Model0.model = Model1.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_watches_watches
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_formula_formula
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy1
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = Type.creusat_clause_clause
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model10 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model6.model
-  clone CreuSat_Clause_Impl3_Len_Interface as Len1 with function Model0.model = Model10.model
-  clone CreuSat_Logic_LogicClause_Impl2_Sat as Sat1 with function Model0.model = Model4.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = Type.creusat_clause_clause, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model5.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, function Model0.model = Model5.model
-  clone CreuSat_Formula_Impl2_IsClauseSat_Interface as IsClauseSat0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant3.invariant', function Model0.model = Model5.model,
-  predicate Sat0.sat = Sat1.sat, predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_Formula_Impl2_DeleteClause_Interface as DeleteClause0 with predicate Invariant0.invariant' = Invariant1.invariant',
-  predicate Invariant1.invariant' = Invariant0.invariant', predicate Invariant2.invariant' = Invariant2.invariant',
-  function Model0.model = Model5.model, function Model1.model = Model6.model,
-  predicate Equisat0.equisat = Equisat0.equisat,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg delete_clauses [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 236 4 236 70] (self : borrowed (Type.creusat_formula_formula)) (watches : borrowed (Type.creusat_watches_watches)) (t : Type.creusat_trail_trail) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 229 4 229 40] Invariant0.invariant' ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 230 4 230 51] Invariant1.invariant' ( * watches) ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 231 4 231 42] Invariant2.invariant' t ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 232 4 232 35] Invariant2.invariant' t ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 233 4 233 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 229 4 229 40] Invariant0.invariant' ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 230 4 230 51] Invariant1.invariant' ( ^ watches) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 231 4 231 42] Invariant2.invariant' t ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 234 4 234 49] Type.creusat_formula_formula_Formula_num_vars ( * self) = Type.creusat_formula_formula_Formula_num_vars ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 235 4 235 35] Equisat0.equisat ( * self) ( ^ self) }
-    
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_formula_formula);
-  var watches_2 : borrowed (Type.creusat_watches_watches);
-  var t_3 : Type.creusat_trail_trail;
-  ghost var old_f_4 : borrowed (Type.creusat_formula_formula);
-  var _5 : ();
-  ghost var old_w_6 : borrowed (Type.creusat_watches_watches);
-  var _7 : ();
-  var i_8 : usize;
-  var _9 : ();
-  var _10 : bool;
-  var _11 : usize;
-  var _12 : usize;
-  var _13 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _14 : ();
-  var _15 : bool;
-  var _16 : bool;
-  var _17 : Type.creusat_clause_clause;
-  var _18 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _19 : usize;
-  var _20 : ();
-  var _21 : bool;
-  var _22 : bool;
-  var _23 : usize;
-  var _24 : Type.creusat_clause_clause;
-  var _25 : Type.creusat_clause_clause;
-  var _26 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _27 : usize;
-  var _28 : bool;
-  var _29 : Type.creusat_formula_formula;
-  var _30 : usize;
-  var _31 : Type.creusat_assignments_assignments;
-  var _32 : Type.creusat_assignments_assignments;
-  var _33 : ();
-  var _34 : borrowed (Type.creusat_formula_formula);
-  var _35 : usize;
-  var _36 : borrowed (Type.creusat_watches_watches);
-  var _37 : Type.creusat_trail_trail;
-  var _38 : ();
-  var _39 : ();
-  var _40 : ();
-  {
-    self_1 <- self;
-    watches_2 <- watches;
-    t_3 <- t;
-    goto BB0
-  }
-  BB0 {
-    _5 <- ();
-    old_f_4 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 237 20 237 35] self_1);
-    goto BB1
-  }
-  BB1 {
-    _7 <- ();
-    old_w_6 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 238 20 238 38] watches_2);
-    goto BB2
-  }
-  BB2 {
-    i_8 <- (0 : usize);
-    goto BB3
-  }
-  BB3 {
-    invariant w_inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 241 8 241 53] Invariant1.invariant' ( * watches_2) ( * self_1) };
-    invariant t_inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 242 8 242 47] Invariant2.invariant' t_3 ( * self_1) };
-    invariant f_inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 243 8 243 45] Invariant0.invariant' ( * self_1) };
-    invariant proph_w { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 244 8 244 57]  ^ watches_2 =  ^ old_w_6 };
-    invariant proph_f { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 245 8 245 54]  ^ self_1 =  ^ old_f_4 };
-    invariant num_vars_unch { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 246 8 246 70] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self_1)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * old_f_4)) };
-    invariant equi { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 247 8 247 56] Equisat0.equisat ( * self_1) ( * old_f_4) };
-    _11 <- i_8;
-    _13 <- Type.creusat_formula_formula_Formula_clauses ( * self_1);
-    _12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 248 18 248 36] Len0.len _13);
-    goto BB4
-  }
-  BB4 {
-    _10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 248 14 248 36] _11 < _12);
-    switch (_10)
-      | False -> goto BB20
-      | _ -> goto BB5
-      end
-  }
-  BB5 {
-    _18 <- Type.creusat_formula_formula_Formula_clauses ( * self_1);
-    _19 <- i_8;
-    _17 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 249 16 249 31] Index0.index _18 _19);
-    goto BB6
-  }
-  BB6 {
-    _16 <- Type.creusat_clause_clause_Clause_deleted _17;
-    _15 <- not _16;
-    switch (_15)
-      | False -> goto BB18
-      | _ -> goto BB7
-      end
-  }
-  BB7 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 250 16 250 61] Invariant3.invariant' (Type.creusat_trail_trail_Trail_assignments t_3) ( * self_1) };
-    _20 <- ();
-    _26 <- Type.creusat_formula_formula_Formula_clauses ( * self_1);
-    _27 <- i_8;
-    _25 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 251 19 251 34] Index0.index _26 _27);
-    goto BB11
-  }
-  BB8 {
-    _21 <- false;
-    goto BB10
-  }
-  BB9 {
-    _29 <-  * self_1;
-    _30 <- i_8;
-    _32 <- Type.creusat_trail_trail_Trail_assignments t_3;
-    _31 <- _32;
-    _28 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 251 48 251 85] IsClauseSat0.is_clause_sat _29 _30 _31);
-    goto BB13
-  }
-  BB10 {
-    switch (_21)
-      | False -> goto BB16
-      | _ -> goto BB14
-      end
-  }
-  BB11 {
-    _24 <- _25;
-    _23 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 251 19 251 40] Len1.len _24);
-    goto BB12
-  }
-  BB12 {
-    _22 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 251 19 251 44] _23 > (1 : usize));
-    switch (_22)
-      | False -> goto BB8
-      | _ -> goto BB9
-      end
-  }
-  BB13 {
-    _21 <- _28;
-    goto BB10
-  }
-  BB14 {
-    _34 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _34) };
-    _35 <- i_8;
-    _36 <- borrow_mut ( * watches_2);
-    watches_2 <- { watches_2 with current = ( ^ _36) };
-    _37 <- t_3;
-    _33 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 252 20 252 53] DeleteClause0.delete_clause _34 _35 _36 _37);
-    goto BB15
-  }
-  BB15 {
-    _14 <- ();
-    goto BB17
-  }
-  BB16 {
-    _14 <- ();
-    goto BB17
-  }
-  BB17 {
-    goto BB19
-  }
-  BB18 {
-    _14 <- ();
-    goto BB19
-  }
-  BB19 {
-    i_8 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 255 12 255 18] i_8 + (1 : usize));
-    _9 <- ();
-    goto BB3
-  }
-  BB20 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve watches_2 };
-    _0 <- ();
-    return _0
-  }
-  
-end
-module CreuSat_Formula_Impl2_SimplifyFormula_Interface
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val simplify_formula [@cfg:stackify] (self : borrowed (Type.creusat_formula_formula)) (watches : borrowed (Type.creusat_watches_watches)) (t : Type.creusat_trail_trail) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 262 4 262 40] Invariant0.invariant' ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 263 4 263 51] Invariant1.invariant' ( * watches) ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 264 4 264 42] Invariant2.invariant' t ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 265 4 265 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 262 4 262 40] Invariant0.invariant' ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 263 4 263 51] Invariant1.invariant' ( ^ watches) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 264 4 264 42] Invariant2.invariant' t ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 266 4 266 49] Type.creusat_formula_formula_Formula_num_vars ( * self) = Type.creusat_formula_formula_Formula_num_vars ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 267 4 267 35] Equisat0.equisat ( * self) ( ^ self) }
-    
-end
-module CreuSat_Formula_Impl2_SimplifyFormula
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model7 with function Model0.model = Model9.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant4 with function Model0.model = Model7.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model5 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model5.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner1.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model7.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant6 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant3 with function Model0.model = Model5.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant3.invariant',
-  function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant7 with function Model0.model = Model4.model,
-  function Model1.model = Model5.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant5 with predicate Invariant0.invariant' = Invariant6.invariant',
-  predicate Invariant1.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model4.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner0 with function Model0.model = Model4.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model4.model,
-  function Model1.model = Model5.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model4.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model6.model,
-  function Model1.model = Model4.model, function Model2.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model0 with function Model0.model = Model4.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model4.model,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model1.model = Model5.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model0.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model3.model,
-  function Model1.model = Model7.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model3.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model3.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model2.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model7.model,
-  function Model1.model = Model3.model, predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model2.model = Model2.model, function Model3.model = Model4.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model0.model = Model3.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model2.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model7.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant2 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model2.model, function Model1.model = Model3.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant1 with function Model0.model = Model1.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_watches_watches
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_formula_formula
-  clone CreuSat_Formula_Impl2_DeleteClauses_Interface as DeleteClauses0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant2.invariant',
-  predicate Equisat0.equisat = Equisat0.equisat,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg simplify_formula [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 268 4 268 72] (self : borrowed (Type.creusat_formula_formula)) (watches : borrowed (Type.creusat_watches_watches)) (t : Type.creusat_trail_trail) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 262 4 262 40] Invariant0.invariant' ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 263 4 263 51] Invariant1.invariant' ( * watches) ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 264 4 264 42] Invariant2.invariant' t ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 265 4 265 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 262 4 262 40] Invariant0.invariant' ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 263 4 263 51] Invariant1.invariant' ( ^ watches) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 264 4 264 42] Invariant2.invariant' t ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 266 4 266 49] Type.creusat_formula_formula_Formula_num_vars ( * self) = Type.creusat_formula_formula_Formula_num_vars ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 267 4 267 35] Equisat0.equisat ( * self) ( ^ self) }
-    
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_formula_formula);
-  var watches_2 : borrowed (Type.creusat_watches_watches);
-  var t_3 : Type.creusat_trail_trail;
-  var _4 : ();
-  var _5 : borrowed (Type.creusat_formula_formula);
-  var _6 : borrowed (Type.creusat_watches_watches);
-  var _7 : Type.creusat_trail_trail;
-  {
-    self_1 <- self;
-    watches_2 <- watches;
-    t_3 <- t;
-    goto BB0
-  }
-  BB0 {
-    _5 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _5) };
-    _6 <- borrow_mut ( * watches_2);
-    watches_2 <- { watches_2 with current = ( ^ _6) };
-    _7 <- t_3;
-    _4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 270 8 270 39] DeleteClauses0.delete_clauses _5 _6 _7);
-    goto BB1
-  }
-  BB1 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve watches_2 };
-    _0 <- ();
-    return _0
-  }
-  
-end
-module CreuSat_Formula_Impl2_ReduceDb_Interface
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val reduceDB [@cfg:stackify] (self : borrowed (Type.creusat_formula_formula)) (watches : borrowed (Type.creusat_watches_watches)) (t : Type.creusat_trail_trail) (s : borrowed (Type.creusat_solver_solver)) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 275 4 275 40] Invariant0.invariant' ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 276 4 276 51] Invariant1.invariant' ( * watches) ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 277 4 277 42] Invariant2.invariant' t ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 278 4 278 33] Invariant0.invariant' ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 279 4 279 35] Invariant2.invariant' t ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 280 4 280 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 275 4 275 40] Invariant0.invariant' ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 276 4 276 51] Invariant1.invariant' ( ^ watches) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 277 4 277 42] Invariant2.invariant' t ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 281 4 281 49] Type.creusat_formula_formula_Formula_num_vars ( * self) = Type.creusat_formula_formula_Formula_num_vars ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 282 4 282 35] Equisat0.equisat ( * self) ( ^ self) }
-    
-end
-module CreuSat_Formula_Impl2_ReduceDb
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model7 with function Model0.model = Model9.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant4 with function Model0.model = Model7.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model5 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model5.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner1.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model7.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant6 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant3 with function Model0.model = Model5.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant3.invariant',
-  function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant7 with function Model0.model = Model4.model,
-  function Model1.model = Model5.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant5 with predicate Invariant0.invariant' = Invariant6.invariant',
-  predicate Invariant1.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model4.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner0 with function Model0.model = Model4.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model4.model,
-  function Model1.model = Model5.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model4.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model6.model,
-  function Model1.model = Model4.model, function Model2.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model0 with function Model0.model = Model4.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model4.model,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model1.model = Model5.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model0.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model3.model,
-  function Model1.model = Model7.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model3.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model3.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model2.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model7.model,
-  function Model1.model = Model3.model, predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model2.model = Model2.model, function Model3.model = Model4.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model0.model = Model3.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model2.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model7.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant2 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model2.model, function Model1.model = Model3.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant1 with function Model0.model = Model1.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_solver_solver
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_watches_watches
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_formula_formula
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy2
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy1
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = Type.creusat_clause_clause
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model11 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy2.modelTy, function Model0.model = Model7.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model10 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model5.model
-  clone CreuSat_Clause_Impl0_Index_Interface as Index1 with function Model0.model = Model10.model
-  clone CreuSat_Clause_Impl3_Len_Interface as Len1 with function Model0.model = Model10.model
-  clone CreuSat_Lit_Impl1_LitSat_Interface as LitSat0 with function Model0.model = Model11.model,
-  predicate Invariant0.invariant' = Invariant6.invariant', predicate Sat0.sat = Sat0.sat
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = Type.creusat_clause_clause, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model4.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, function Model0.model = Model4.model
-  clone CreuSat_Formula_Impl2_DeleteClause_Interface as DeleteClause0 with predicate Invariant0.invariant' = Invariant1.invariant',
-  predicate Invariant1.invariant' = Invariant0.invariant', predicate Invariant2.invariant' = Invariant2.invariant',
-  function Model0.model = Model4.model, function Model1.model = Model5.model,
-  predicate Equisat0.equisat = Equisat0.equisat,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg reduceDB [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 283 4 283 80] (self : borrowed (Type.creusat_formula_formula)) (watches : borrowed (Type.creusat_watches_watches)) (t : Type.creusat_trail_trail) (s : borrowed (Type.creusat_solver_solver)) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 275 4 275 40] Invariant0.invariant' ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 276 4 276 51] Invariant1.invariant' ( * watches) ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 277 4 277 42] Invariant2.invariant' t ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 278 4 278 33] Invariant0.invariant' ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 279 4 279 35] Invariant2.invariant' t ( * self)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 280 4 280 47] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self)) < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 275 4 275 40] Invariant0.invariant' ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 276 4 276 51] Invariant1.invariant' ( ^ watches) ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 277 4 277 42] Invariant2.invariant' t ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 281 4 281 49] Type.creusat_formula_formula_Formula_num_vars ( * self) = Type.creusat_formula_formula_Formula_num_vars ( ^ self) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 282 4 282 35] Equisat0.equisat ( * self) ( ^ self) }
-    
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_formula_formula);
-  var watches_2 : borrowed (Type.creusat_watches_watches);
-  var t_3 : Type.creusat_trail_trail;
-  var s_4 : borrowed (Type.creusat_solver_solver);
-  var _5 : ();
-  var _6 : ();
-  var _7 : bool;
-  var _8 : usize;
-  var _9 : usize;
-  var _10 : bool;
-  var _11 : usize;
-  var _12 : usize;
-  var _13 : ();
-  var _14 : ();
-  var _15 : ();
-  var _16 : ();
-  var i_17 : usize;
-  ghost var old_f_18 : borrowed (Type.creusat_formula_formula);
-  var _19 : ();
-  ghost var old_w_20 : borrowed (Type.creusat_watches_watches);
-  var _21 : ();
-  var _22 : bool;
-  var _23 : usize;
-  var _24 : usize;
-  var _25 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _26 : ();
-  var _27 : bool;
-  var _28 : bool;
-  var _29 : Type.creusat_clause_clause;
-  var _30 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _31 : usize;
-  var _32 : bool;
-  var _33 : usize;
-  var _34 : Type.creusat_clause_clause;
-  var _35 : Type.creusat_clause_clause;
-  var _36 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _37 : usize;
-  var cnt_38 : int32;
-  var j_39 : usize;
-  var _40 : ();
-  var _41 : bool;
-  var _42 : bool;
-  var _43 : usize;
-  var _44 : usize;
-  var _45 : Type.creusat_clause_clause;
-  var _46 : Type.creusat_clause_clause;
-  var _47 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _48 : usize;
-  var _49 : bool;
-  var _50 : int32;
-  var _51 : ();
-  var _52 : bool;
-  var _53 : Type.creusat_lit_lit;
-  var _54 : Type.creusat_lit_lit;
-  var _55 : Type.creusat_clause_clause;
-  var _56 : Type.creusat_clause_clause;
-  var _57 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _58 : usize;
-  var _59 : usize;
-  var _60 : Type.creusat_assignments_assignments;
-  var _61 : Type.creusat_assignments_assignments;
-  var _62 : ();
-  var _63 : ();
-  var _64 : ();
-  var _65 : bool;
-  var _66 : int32;
-  var _67 : ();
-  var _68 : bool;
-  var _69 : usize;
-  var _70 : ();
-  var _71 : borrowed (Type.creusat_formula_formula);
-  var _72 : usize;
-  var _73 : borrowed (Type.creusat_watches_watches);
-  var _74 : Type.creusat_trail_trail;
-  var _75 : ();
-  var _76 : ();
-  var _77 : ();
-  {
-    self_1 <- self;
-    watches_2 <- watches;
-    t_3 <- t;
-    s_4 <- s;
-    goto BB0
-  }
-  BB0 {
-    goto BB1
-  }
-  BB1 {
-    _8 <- Type.creusat_solver_solver_Solver_num_lemmas ( * s_4);
-    _9 <- Type.creusat_solver_solver_Solver_max_lemmas ( * s_4);
-    _7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 285 14 285 41] _8 > _9);
-    switch (_7)
-      | False -> goto BB5
-      | _ -> goto BB2
-      end
-  }
-  BB2 {
-    _11 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 286 15 286 31] (18446744073709551615 : usize) - (300 : usize));
-    _12 <- Type.creusat_solver_solver_Solver_max_lemmas ( * s_4);
-    _10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 286 15 286 46] _11 > _12);
-    switch (_10)
-      | False -> goto BB4
-      | _ -> goto BB3
-      end
-  }
-  BB3 {
-    s_4 <- { s_4 with current = (let Type.CreuSat_Solver_Solver a b c d e f g h =  * s_4 in Type.CreuSat_Solver_Solver a ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 287 16 287 35] Type.creusat_solver_solver_Solver_max_lemmas ( * s_4) + (300 : usize)) c d e f g h) };
-    _6 <- ();
-    goto BB1
-  }
-  BB4 {
-    _5 <- ();
-    goto BB6
-  }
-  BB5 {
-    _5 <- ();
-    goto BB6
-  }
-  BB6 {
-    i_17 <- Type.creusat_solver_solver_Solver_initial_len ( * s_4);
-    _19 <- ();
-    old_f_18 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 294 20 294 35] self_1);
-    goto BB7
-  }
-  BB7 {
-    _21 <- ();
-    old_w_20 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 295 20 295 38] watches_2);
-    goto BB8
-  }
-  BB8 {
-    goto BB9
-  }
-  BB9 {
-    invariant w_inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 296 8 296 53] Invariant1.invariant' ( * watches_2) ( * self_1) };
-    invariant t_inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 297 8 297 47] Invariant2.invariant' t_3 ( * self_1) };
-    invariant f_inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 298 8 298 45] Invariant0.invariant' ( * self_1) };
-    invariant proph_w { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 299 8 299 57]  ^ watches_2 =  ^ old_w_20 };
-    invariant proph_f { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 300 8 300 54]  ^ self_1 =  ^ old_f_18 };
-    invariant num_vars_unch { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 301 8 301 70] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * self_1)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * old_f_18)) };
-    invariant equi { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 302 8 302 56] Equisat0.equisat ( * self_1) ( * old_f_18) };
-    _23 <- i_17;
-    _25 <- Type.creusat_formula_formula_Formula_clauses ( * self_1);
-    _24 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 303 18 303 36] Len0.len _25);
-    goto BB10
-  }
-  BB10 {
-    _22 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 303 14 303 36] _23 < _24);
-    switch (_22)
-      | False -> goto BB42
-      | _ -> goto BB11
-      end
-  }
-  BB11 {
-    _30 <- Type.creusat_formula_formula_Formula_clauses ( * self_1);
-    _31 <- i_17;
-    _29 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 304 16 304 31] Index0.index _30 _31);
-    goto BB12
-  }
-  BB12 {
-    _28 <- Type.creusat_clause_clause_Clause_deleted _29;
-    _27 <- not _28;
-    switch (_27)
-      | False -> goto BB40
-      | _ -> goto BB13
-      end
-  }
-  BB13 {
-    _36 <- Type.creusat_formula_formula_Formula_clauses ( * self_1);
-    _37 <- i_17;
-    _35 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 306 19 306 34] Index0.index _36 _37);
-    goto BB14
-  }
-  BB14 {
-    _34 <- _35;
-    _33 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 306 19 306 40] Len1.len _34);
-    goto BB15
-  }
-  BB15 {
-    _32 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 306 19 306 44] _33 > (6 : usize));
-    switch (_32)
-      | False -> goto BB38
-      | _ -> goto BB16
-      end
-  }
-  BB16 {
-    cnt_38 <- (0 : int32);
-    j_39 <- (0 : usize);
-    goto BB17
-  }
-  BB17 {
-    _43 <- j_39;
-    _47 <- Type.creusat_formula_formula_Formula_clauses ( * self_1);
-    _48 <- i_17;
-    _46 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 309 30 309 45] Index0.index _47 _48);
-    goto BB21
-  }
-  BB18 {
-    _41 <- false;
-    goto BB20
-  }
-  BB19 {
-    _50 <- cnt_38;
-    _49 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 309 55 309 62] _50 < (6 : int32));
-    _41 <- _49;
-    goto BB20
-  }
-  BB20 {
-    switch (_41)
-      | False -> goto BB30
-      | _ -> goto BB23
-      end
-  }
-  BB21 {
-    _45 <- _46;
-    _44 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 309 30 309 51] Len1.len _45);
-    goto BB22
-  }
-  BB22 {
-    _42 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 309 26 309 51] _43 < _44);
-    switch (_42)
-      | False -> goto BB18
-      | _ -> goto BB19
-      end
-  }
-  BB23 {
-    _57 <- Type.creusat_formula_formula_Formula_clauses ( * self_1);
-    _58 <- i_17;
-    _56 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 310 27 310 42] Index0.index _57 _58);
-    goto BB24
-  }
-  BB24 {
-    _55 <- _56;
-    _59 <- j_39;
-    _54 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 310 27 310 45] Index1.index _55 _59);
-    goto BB25
-  }
-  BB25 {
-    _53 <- _54;
-    _61 <- Type.creusat_trail_trail_Trail_assignments t_3;
-    _60 <- _61;
-    _52 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 310 27 310 69] LitSat0.lit_sat _53 _60);
-    goto BB26
-  }
-  BB26 {
-    switch (_52)
-      | False -> goto BB28
-      | _ -> goto BB27
-      end
-  }
-  BB27 {
-    cnt_38 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 311 28 311 36] cnt_38 + (1 : int32));
-    _51 <- ();
-    goto BB29
-  }
-  BB28 {
-    _51 <- ();
-    goto BB29
-  }
-  BB29 {
-    j_39 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 313 24 313 30] j_39 + (1 : usize));
-    _6 <- ();
-    goto BB17
-  }
-  BB30 {
-    _40 <- ();
-    _66 <- cnt_38;
-    _65 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 315 23 315 31] _66 >= (6 : int32));
-    switch (_65)
-      | False -> goto BB32
-      | _ -> goto BB31
-      end
-  }
-  BB31 {
-    _69 <- Type.creusat_solver_solver_Solver_num_lemmas ( * s_4);
-    _68 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 317 27 317 43] _69 > (0 : usize));
-    switch (_68)
-      | False -> goto BB34
-      | _ -> goto BB33
-      end
-  }
-  BB32 {
-    _26 <- ();
-    goto BB37
-  }
-  BB33 {
-    s_4 <- { s_4 with current = (let Type.CreuSat_Solver_Solver a b c d e f g h =  * s_4 in Type.CreuSat_Solver_Solver ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 318 28 318 45] Type.creusat_solver_solver_Solver_num_lemmas ( * s_4) - (1 : usize)) b c d e f g h) };
-    _67 <- ();
-    goto BB35
-  }
-  BB34 {
-    _67 <- ();
-    goto BB35
-  }
-  BB35 {
-    _71 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _71) };
-    _72 <- i_17;
-    _73 <- borrow_mut ( * watches_2);
-    watches_2 <- { watches_2 with current = ( ^ _73) };
-    _74 <- t_3;
-    _70 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 320 24 320 57] DeleteClause0.delete_clause _71 _72 _73 _74);
-    goto BB36
-  }
-  BB36 {
-    _26 <- ();
-    goto BB37
-  }
-  BB37 {
-    goto BB39
-  }
-  BB38 {
-    _26 <- ();
-    goto BB39
-  }
-  BB39 {
-    goto BB41
-  }
-  BB40 {
-    _26 <- ();
-    goto BB41
-  }
-  BB41 {
-    i_17 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/formula.rs" 324 12 324 18] i_17 + (1 : usize));
-    _6 <- ();
-    goto BB9
-  }
-  BB42 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve watches_2 };
-    assume { Resolve2.resolve s_4 };
-    _0 <- ();
-    return _0
-  }
-  
-end
-module CreuSat_Lit_Impl4_Clone_Interface
-  use prelude.Prelude
-  use Type
-  val clone' [@cfg:stackify] (self : Type.creusat_lit_lit) : Type.creusat_lit_lit
-end
-module CreuSat_Lit_Impl4_Clone
-  use prelude.Prelude
-  use Type
-  let rec cfg clone' [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 11 9 11 14] (self : Type.creusat_lit_lit) : Type.creusat_lit_lit
-    
-   =
-  var _0 : Type.creusat_lit_lit;
-  var self_1 : Type.creusat_lit_lit;
-  {
-    self_1 <- self;
-    goto BB0
-  }
-  BB0 {
-    _0 <- self_1;
-    return _0
-  }
-  
-end
-module CreuSat_Lit_Impl0_Model_Interface
-  use Type
-  function model (self : Type.creusat_lit_lit) : Type.creusat_lit_lit
-end
-module CreuSat_Lit_Impl0_Model
-  use Type
-  function model [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 22 4 22 26] (self : Type.creusat_lit_lit) : Type.creusat_lit_lit
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 23 8 23 12] self
-end
-module CreuSat_Lit_Impl1_LitSet_Interface
-  use seq.Seq
-  use Type
-  use prelude.Prelude
-  clone CreuSat_Logic_LogicLit_Impl1_Unset_Interface as Unset0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant_Interface as Invariant0
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  val lit_set [@cfg:stackify] (self : Type.creusat_lit_lit) (a : Type.creusat_assignments_assignments) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 81 4 81 43] Invariant0.invariant' self (Seq.length (Model0.model a))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 82 4 82 41] result = (not Unset0.unset self a) }
-    
-end
-module CreuSat_Lit_Impl1_LitSet
-  use seq.Seq
-  use Type
-  use prelude.Prelude
-  use mach.int.Int
-  use prelude.UInt8
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model1 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsetInner as UnsetInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Unset as Unset0 with function Model0.model = Model1.model,
-  predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  use mach.int.UInt64
-  clone CreuSat_Lit_Impl1_Index_Interface as Index0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Assignments_Impl0_Index_Interface as Index1 with function Model0.model = Model0.model
-  let rec cfg lit_set [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 83 4 83 49] (self : Type.creusat_lit_lit) (a : Type.creusat_assignments_assignments) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 81 4 81 43] Invariant0.invariant' self (Seq.length (Model0.model a))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 82 4 82 41] result = (not Unset0.unset self a) }
-    
-   =
-  var _0 : bool;
-  var self_1 : Type.creusat_lit_lit;
-  var a_2 : Type.creusat_assignments_assignments;
-  var _3 : uint8;
-  var _4 : uint8;
-  var _5 : Type.creusat_assignments_assignments;
-  var _6 : usize;
-  var _7 : Type.creusat_lit_lit;
-  {
-    self_1 <- self;
-    a_2 <- a;
-    goto BB0
-  }
-  BB0 {
-    _5 <- a_2;
-    _7 <- self_1;
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 84 10 84 22] Index0.index _7);
-    goto BB1
-  }
-  BB1 {
-    _4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 84 8 84 23] Index1.index _5 _6);
-    goto BB2
-  }
-  BB2 {
-    _3 <- _4;
-    _0 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 84 8 84 27] _3 < (2 : uint8));
-    return _0
-  }
-  
-end
-module CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic_Interface
-  use Type
-  use mach.int.Int
-  function to_watchidx_logic [@inline:trivial] (self : Type.creusat_lit_lit) : int
-end
-module CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic
-  use Type
-  use mach.int.Int
-  use mach.int.Int32
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic_Interface as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  function to_watchidx_logic [@inline:trivial] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 33 4 33 41] (self : Type.creusat_lit_lit) : int
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 34 8 34 91] IndexLogic0.index_logic self * 2 + (if IsPositiveLogic0.is_positive_logic self then
-      0
-    else
-      1
-    )
-end
-module CreuSat_Lit_Impl1_ToWatchidx_Interface
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.UInt64
-  use mach.int.Int32
-  use Type
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic_Interface as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic_Interface as ToWatchidxLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  val to_watchidx [@cfg:stackify] (self : Type.creusat_lit_lit) : usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 89 4 89 51] IndexLogic0.index_logic self < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 90 4 90 51] UInt64.to_int result = ToWatchidxLogic0.to_watchidx_logic self }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 91 4 91 96] UInt64.to_int result = IndexLogic0.index_logic self * 2 + (if IsPositiveLogic0.is_positive_logic self then
-      0
-    else
-      1
-    ) }
-    
-end
-module CreuSat_Lit_Impl1_ToWatchidx
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.UInt64
-  use mach.int.Int32
-  use Type
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic as ToWatchidxLogic0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Lit_Impl1_IsPositive_Interface as IsPositive0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Lit_Impl1_Index_Interface as Index0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  let rec cfg to_watchidx [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 92 4 92 37] (self : Type.creusat_lit_lit) : usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 89 4 89 51] IndexLogic0.index_logic self < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 90 4 90 51] UInt64.to_int result = ToWatchidxLogic0.to_watchidx_logic self }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 91 4 91 96] UInt64.to_int result = IndexLogic0.index_logic self * 2 + (if IsPositiveLogic0.is_positive_logic self then
-      0
-    else
-      1
-    ) }
-    
-   =
-  var _0 : usize;
-  var self_1 : Type.creusat_lit_lit;
-  var _2 : usize;
-  var _3 : usize;
-  var _4 : Type.creusat_lit_lit;
-  var _5 : usize;
-  var _6 : bool;
-  var _7 : Type.creusat_lit_lit;
-  {
-    self_1 <- self;
-    goto BB0
-  }
-  BB0 {
-    _4 <- self_1;
-    _3 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 93 8 93 20] Index0.index _4);
-    goto BB1
-  }
-  BB1 {
-    _2 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 93 8 93 24] _3 * (2 : usize));
-    _7 <- self_1;
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 93 30 93 48] IsPositive0.is_positive _7);
-    goto BB2
-  }
-  BB2 {
-    switch (_6)
-      | False -> goto BB4
-      | _ -> goto BB3
-      end
-  }
-  BB3 {
-    _5 <- (0 : usize);
-    goto BB5
-  }
-  BB4 {
-    _5 <- (1 : usize);
-    goto BB5
-  }
-  BB5 {
-    _0 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 93 8 93 65] _2 + _5);
-    return _0
-  }
-  
-end
-module CreuSat_Lit_Impl1_PhaseSaved_Interface
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use prelude.UInt8
-  use mach.int.Int32
-  use prelude.Prelude
-  use Type
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic_Interface as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  val phase_saved [@cfg:stackify] (idx : usize) (assignments : Type.creusat_assignments_assignments) : Type.creusat_lit_lit
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 105 4 105 44] UInt64.to_int idx < Seq.length (Model0.model assignments)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 106 4 106 44] IndexLogic0.index_logic result = UInt64.to_int idx }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 107 4 107 74] IsPositiveLogic0.is_positive_logic result = (UInt8.to_int (Seq.get (Model0.model assignments) (UInt64.to_int idx)) = 1) }
-    
-end
-module CreuSat_Lit_Impl1_PhaseSaved
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use prelude.UInt8
-  use mach.int.Int32
-  use prelude.Prelude
-  use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model1 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Assignments_Impl0_Index_Interface as Index0 with function Model0.model = Model0.model
-  let rec cfg phase_saved [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 108 4 108 68] (idx : usize) (assignments : Type.creusat_assignments_assignments) : Type.creusat_lit_lit
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 105 4 105 44] UInt64.to_int idx < Seq.length (Model0.model assignments)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 106 4 106 44] IndexLogic0.index_logic result = UInt64.to_int idx }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 107 4 107 74] IsPositiveLogic0.is_positive_logic result = (UInt8.to_int (Seq.get (Model0.model assignments) (UInt64.to_int idx)) = 1) }
-    
-   =
-  var _0 : Type.creusat_lit_lit;
-  var idx_1 : usize;
-  var assignments_2 : Type.creusat_assignments_assignments;
-  var _3 : usize;
-  var _4 : bool;
-  var _5 : bool;
-  var _6 : uint8;
-  var _7 : uint8;
-  var _8 : Type.creusat_assignments_assignments;
-  var _9 : usize;
-  {
-    idx_1 <- idx;
-    assignments_2 <- assignments;
-    goto BB0
-  }
-  BB0 {
-    _3 <- idx_1;
-    _8 <- assignments_2;
-    _9 <- idx_1;
-    _7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 109 37 109 53] Index0.index _8 _9);
-    goto BB1
-  }
-  BB1 {
-    _6 <- _7;
-    _5 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 109 37 109 58] _6 = (1 : uint8));
-    switch (_5)
-      | False -> goto BB3
-      | _ -> goto BB2
-      end
-  }
-  BB2 {
-    _4 <- true;
-    goto BB4
-  }
-  BB3 {
-    _4 <- false;
-    goto BB4
-  }
-  BB4 {
-    _0 <- Type.CreuSat_Lit_Lit _3 _4;
-    return _0
-  }
-  
-end
-module CreuSat_Lit_Impl2_Eq_Interface
-  use prelude.Prelude
-  use Type
-  val eq [@cfg:stackify] (self : Type.creusat_lit_lit) (other : Type.creusat_lit_lit) : bool
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 120 4 120 41] result = (self = other) }
-    
-end
-module CreuSat_Lit_Impl2_Eq
-  use prelude.Prelude
-  use Type
-  use mach.int.Int
-  use mach.int.UInt64
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Lit_Impl1_IsPositive_Interface as IsPositive0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Lit_Impl1_Index_Interface as Index0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  let rec cfg eq [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 122 4 122 37] (self : Type.creusat_lit_lit) (other : Type.creusat_lit_lit) : bool
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 120 4 120 41] result = (self = other) }
-    
-   =
-  var _0 : bool;
-  var self_1 : Type.creusat_lit_lit;
-  var other_2 : Type.creusat_lit_lit;
-  var _3 : bool;
-  var _4 : usize;
-  var _5 : Type.creusat_lit_lit;
-  var _6 : usize;
-  var _7 : Type.creusat_lit_lit;
-  var _8 : bool;
-  var _9 : bool;
-  var _10 : Type.creusat_lit_lit;
-  var _11 : bool;
-  var _12 : Type.creusat_lit_lit;
-  {
-    self_1 <- self;
-    other_2 <- other;
-    goto BB0
-  }
-  BB0 {
-    _5 <- self_1;
-    _4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 123 8 123 20] Index0.index _5);
-    goto BB4
-  }
-  BB1 {
-    _0 <- false;
-    goto BB3
-  }
-  BB2 {
-    _10 <- self_1;
-    _9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 123 41 123 59] IsPositive0.is_positive _10);
-    goto BB6
-  }
-  BB3 {
-    return _0
-  }
-  BB4 {
-    _7 <- other_2;
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 123 24 123 37] Index0.index _7);
-    goto BB5
-  }
-  BB5 {
-    _3 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 123 8 123 37] _4 = _6);
-    switch (_3)
-      | False -> goto BB1
-      | _ -> goto BB2
-      end
-  }
-  BB6 {
-    _12 <- other_2;
-    _11 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 123 63 123 82] IsPositive0.is_positive _12);
-    goto BB7
-  }
-  BB7 {
-    _8 <- Prelude.eqb _9 _11;
-    _0 <- _8;
-    goto BB3
-  }
-  
-end
-module CreuSat_Lit_Impl3_Not_Interface
-  use Type
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic_Interface as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  val not' [@cfg:stackify] (self : Type.creusat_lit_lit) : Type.creusat_lit_lit
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 132 4 132 58] IndexLogic0.index_logic result = IndexLogic0.index_logic self }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 133 4 133 71] IsPositiveLogic0.is_positive_logic result = (not IsPositiveLogic0.is_positive_logic self) }
-    
-end
-module CreuSat_Lit_Impl3_Not
-  use Type
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.UInt64
-  clone CreuSat_Lit_Impl1_IsPositive_Interface as IsPositive0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Lit_Impl1_Index_Interface as Index0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  let rec cfg not' [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 134 4 134 23] (self : Type.creusat_lit_lit) : Type.creusat_lit_lit
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 132 4 132 58] IndexLogic0.index_logic result = IndexLogic0.index_logic self }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 133 4 133 71] IsPositiveLogic0.is_positive_logic result = (not IsPositiveLogic0.is_positive_logic self) }
-    
-   =
-  var _0 : Type.creusat_lit_lit;
-  var self_1 : Type.creusat_lit_lit;
-  var _2 : usize;
-  var _3 : Type.creusat_lit_lit;
-  var _4 : bool;
-  var _5 : bool;
-  var _6 : Type.creusat_lit_lit;
-  {
-    self_1 <- self;
-    goto BB0
-  }
-  BB0 {
-    _3 <- self_1;
-    _2 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 135 19 135 31] Index0.index _3);
-    goto BB1
-  }
-  BB1 {
-    _6 <- self_1;
-    _5 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/lit.rs" 135 44 135 62] IsPositive0.is_positive _6);
-    goto BB2
-  }
-  BB2 {
-    _4 <- not _5;
-    _0 <- Type.CreuSat_Lit_Lit _2 _4;
-    return _0
-  }
-  
-end
-module CreuSat_Logic_Logic_Pos_Interface
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  function pos (_ : ()) : uint8
-end
-module CreuSat_Logic_Logic_Pos
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  function pos [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic.rs" 10 0 10 25] (_ : ()) : uint8 =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic.rs" 11 4 11 7] (1 : uint8)
-end
-module CreuSat_Logic_Logic_Neg_Interface
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  function neg (_ : ()) : uint8
-end
-module CreuSat_Logic_Logic_Neg
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  function neg [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic.rs" 15 0 15 25] (_ : ()) : uint8 =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic.rs" 16 4 16 7] (0 : uint8)
-end
-module CreuSat_Logic_Logic_BoolToAssignedstate_Interface
-  use prelude.UInt8
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  function bool_to_assignedstate (b : bool) : uint8
-end
-module CreuSat_Logic_Logic_BoolToAssignedstate
-  use prelude.UInt8
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  function bool_to_assignedstate [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic.rs" 34 0 34 54] (b : bool) : uint8
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic.rs" 31 0 31 8] if b then (1 : uint8) else (0 : uint8)
-  axiom bool_to_assignedstate_spec : forall b : bool . ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic.rs" 33 0 33 31] not b -> UInt8.to_int (bool_to_assignedstate b) = 0) && ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic.rs" 32 0 32 30] b -> UInt8.to_int (bool_to_assignedstate b) = 1)
-end
-module CreuSat_Logic_Logic_BoolToAssignedstate_Impl
-  use prelude.UInt8
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  let rec ghost function bool_to_assignedstate (b : bool) : uint8
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic.rs" 32 0 32 30] b -> UInt8.to_int result = 1 }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic.rs" 33 0 33 31] not b -> UInt8.to_int result = 0 }
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic.rs" 31 0 31 8] if b then (1 : uint8) else (0 : uint8)
-end
-module CreuSat_Logic_Logic_FlipV_Interface
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  function flip_v (v : uint8) : uint8
-end
-module CreuSat_Logic_Logic_FlipV
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  use mach.int.Int32
-  function flip_v [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic.rs" 43 0 43 44] (v : uint8) : uint8 =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic.rs" 44 4 52 5] if UInt8.to_int v = 0 then
-      (1 : uint8)
-    else
-      if UInt8.to_int v = 1 then (0 : uint8) else v
-    
-end
-module CreuSat_Logic_LogicAssignments_CompatibleInner_Interface
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  predicate compatible_inner (a : Seq.seq uint8) (a2 : Seq.seq uint8)
-end
-module CreuSat_Logic_LogicAssignments_CompatibleInner
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  use mach.int.Int32
-  clone CreuSat_Logic_Logic_Unset_Interface as Unset0
-  predicate compatible_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_assignments.rs" 25 0 25 78] (a : Seq.seq uint8) (a2 : Seq.seq uint8)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_assignments.rs" 26 4 29 5] Seq.length a = Seq.length a2 && (forall i : (int) . 0 <= i && i < Seq.length a -> Unset0.unset (Seq.get a i) || Seq.get a i = Seq.get a2 i)
-end
-module CreuSat_Logic_LogicAssignments_CompatibleCompleteInner_Interface
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  predicate compatible_complete_inner (a : Seq.seq uint8) (a2 : Seq.seq uint8)
-end
-module CreuSat_Logic_LogicAssignments_CompatibleCompleteInner
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicAssignments_CompleteInner_Interface as CompleteInner0
-  clone CreuSat_Logic_LogicAssignments_CompatibleInner_Interface as CompatibleInner0
-  predicate compatible_complete_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_assignments.rs" 40 0 40 87] (a : Seq.seq uint8) (a2 : Seq.seq uint8)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_assignments.rs" 39 0 39 12] CompatibleInner0.compatible_inner a a2 && CompleteInner0.complete_inner a2
-end
-module CreuSat_Logic_LogicClause_Impl1_PostUnitInner_Interface
-  use Type
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  predicate post_unit_inner (self : Type.creusat_clause_clause) (a : Seq.seq uint8)
-end
-module CreuSat_Logic_LogicClause_Impl1_PostUnitInner
-  use Type
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  use mach.int.Int32
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner_Interface as UnsatInner0
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner_Interface as SatInner0
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
-  predicate post_unit_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 56 4 56 63] (self : Type.creusat_clause_clause) (a : Seq.seq uint8)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 57 8 61 9] exists i : (int) . 0 <= i && i < Seq.length (Model0.model self) && SatInner0.sat_inner (Seq.get (Model0.model self) i) a && (forall j : (int) . 0 <= j && j < Seq.length (Model0.model self) && j <> i -> UnsatInner0.unsat_inner (Seq.get (Model0.model self) j) a)
-end
-module CreuSat_Logic_LogicClause_Impl1_NoUnsetInner_Interface
-  use Type
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  predicate no_unset_inner (self : Type.creusat_clause_clause) (a : Seq.seq uint8)
-end
-module CreuSat_Logic_LogicClause_Impl1_NoUnsetInner
-  use Type
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  use mach.int.Int32
-  clone CreuSat_Logic_LogicLit_Impl1_UnsetInner_Interface as UnsetInner0
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
-  predicate no_unset_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 65 4 65 62] (self : Type.creusat_clause_clause) (a : Seq.seq uint8)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 66 8 68 9] forall j : (int) . 0 <= j && j < Seq.length (Model0.model self) -> not UnsetInner0.unset_inner (Seq.get (Model0.model self) j) a
-end
-module CreuSat_Logic_LogicClause_Impl1_PostUnit_Interface
-  use Type
-  predicate post_unit (self : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments)
-end
-module CreuSat_Logic_LogicClause_Impl1_PostUnit
-  use Type
-  clone CreuSat_Logic_LogicClause_Impl1_PostUnitInner_Interface as PostUnitInner0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
-  predicate post_unit [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 72 4 72 50] (self : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 73 8 73 46] PostUnitInner0.post_unit_inner self (Model0.model a)
-end
-module CreuSat_Logic_LogicClause_Impl1_EqAssnInner_Interface
-  use Type
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  predicate eq_assn_inner (self : Type.creusat_clause_clause) (a : Seq.seq uint8) (a2 : Seq.seq uint8)
-end
-module CreuSat_Logic_LogicClause_Impl1_EqAssnInner
-  use Type
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  use mach.int.Int32
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
-  predicate eq_assn_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 77 4 77 85] (self : Type.creusat_clause_clause) (a : Seq.seq uint8) (a2 : Seq.seq uint8)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 78 8 81 9] forall i : (int) . 0 <= i && i < Seq.length (Model0.model self) -> Seq.get a (IndexLogic0.index_logic (Seq.get (Model0.model self) i)) = Seq.get a2 (IndexLogic0.index_logic (Seq.get (Model0.model self) i))
-end
-module CreuSat_Logic_LogicClause_Impl2_Unknown_Interface
-  use Type
-  predicate unknown (self : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments)
-end
-module CreuSat_Logic_LogicClause_Impl2_Unknown
-  use Type
-  clone CreuSat_Logic_LogicClause_Impl2_Unsat_Interface as Unsat0
-  clone CreuSat_Logic_LogicClause_Impl2_Sat_Interface as Sat0
-  predicate unknown [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 173 4 173 48] (self : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 172 4 172 16] not Sat0.sat self a && not Unsat0.unsat self a
-end
-module CreuSat_Logic_LogicClause_Impl2_SearchIdxInRange_Interface
-  use Type
-  predicate search_idx_in_range (self : Type.creusat_clause_clause)
-end
-module CreuSat_Logic_LogicClause_Impl2_SearchIdxInRange
-  use Type
-  use mach.int.Int
-  use mach.int.Int32
-  use mach.int.UInt64
-  use seq.Seq
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
-  predicate search_idx_in_range [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 188 4 188 44] (self : Type.creusat_clause_clause)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 189 8 191 9] 2 <= UInt64.to_int (Type.creusat_clause_clause_Clause_search self) && UInt64.to_int (Type.creusat_clause_clause_Clause_search self) <= Seq.length (Model0.model self)
-end
-module CreuSat_Logic_LogicClause_Impl2_InvariantUnaryOk_Interface
-  use Type
-  use mach.int.Int
-  predicate invariant_unary_ok (self : Type.creusat_clause_clause) (n : int)
-end
-module CreuSat_Logic_LogicClause_Impl2_InvariantUnaryOk
-  use Type
-  use mach.int.Int
-  clone CreuSat_Logic_LogicClause_Impl2_SearchIdxInRange_Interface as SearchIdxInRange0
-  clone CreuSat_Logic_LogicClause_Impl2_NoDuplicateIndexes_Interface as NoDuplicateIndexes0
-  clone CreuSat_Logic_LogicClause_Impl2_VarsInRange_Interface as VarsInRange0
-  predicate invariant_unary_ok [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 203 4 203 51] (self : Type.creusat_clause_clause) (n : int)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_clause.rs" 205 8 205 104] VarsInRange0.vars_in_range self n && NoDuplicateIndexes0.no_duplicate_indexes self && SearchIdxInRange0.search_idx_in_range self
-end
-module CreuSat_Logic_LogicFormula_Impl1_Compatible_Interface
-  use Type
-  predicate compatible (self : Type.creusat_formula_formula) (o : Type.creusat_formula_formula)
-end
-module CreuSat_Logic_LogicFormula_Impl1_Compatible
-  use Type
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  clone CreuSat_Logic_LogicClause_Impl2_Equals_Interface as Equals0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  predicate compatible [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 84 4 84 47] (self : Type.creusat_formula_formula) (o : Type.creusat_formula_formula)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 85 8 90 9] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars self) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars o) && Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses o)) >= Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) && (forall i : (int) . 0 <= i && i < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) -> Equals0.equals (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) i) (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses o)) i))
-end
-module CreuSat_Logic_LogicFormula_Impl1_EventuallySatInner_Interface
-  use Type
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  predicate eventually_sat_inner (self : Type.creusat_formula_formula) (a : Seq.seq uint8)
-end
-module CreuSat_Logic_LogicFormula_Impl1_EventuallySatInner
-  use Type
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  use mach.int.UInt64
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner_Interface as SatInner0
-  clone CreuSat_Logic_LogicAssignments_CompatibleInner_Interface as CompatibleInner0
-  predicate eventually_sat_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 118 4 118 64] (self : Type.creusat_formula_formula) (a : Seq.seq uint8)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 119 8 121 9] exists a2 : (Seq.seq uint8) . Seq.length a2 = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars self) && CompatibleInner0.compatible_inner a a2 && SatInner0.sat_inner self a2
-end
-module CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteInner_Interface
-  use Type
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  predicate eventually_sat_complete_inner (self : Type.creusat_formula_formula) (a : Seq.seq uint8)
-end
-module CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteInner
-  use Type
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  use mach.int.UInt64
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner_Interface as SatInner0
-  clone CreuSat_Logic_LogicAssignments_CompatibleCompleteInner_Interface as CompatibleCompleteInner0
-  predicate eventually_sat_complete_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 125 4 125 73] (self : Type.creusat_formula_formula) (a : Seq.seq uint8)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 126 8 128 9] exists a2 : (Seq.seq uint8) . Seq.length a2 = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars self) && CompatibleCompleteInner0.compatible_complete_inner a a2 && SatInner0.sat_inner self a2
-end
-module CreuSat_Logic_LogicFormula_Impl1_EventuallySatComplete_Interface
-  use Type
-  predicate eventually_sat_complete (self : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
-end
-module CreuSat_Logic_LogicFormula_Impl1_EventuallySatComplete
-  use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteInner_Interface as EventuallySatCompleteInner0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
-  predicate eventually_sat_complete [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 132 4 132 60] (self : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 133 8 133 59] EventuallySatCompleteInner0.eventually_sat_complete_inner self (Model0.model a)
-end
-module CreuSat_Logic_LogicFormula_Impl1_EventuallySat_Interface
-  use Type
-  predicate eventually_sat (self : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
-end
-module CreuSat_Logic_LogicFormula_Impl1_EventuallySat
-  use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatInner_Interface as EventuallySatInner0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
-  predicate eventually_sat [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 137 4 137 51] (self : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 138 8 138 50] EventuallySatInner0.eventually_sat_inner self (Model0.model a)
-end
-module CreuSat_Logic_LogicFormula_Impl1_UnsatInner_Interface
-  use Type
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  predicate unsat_inner (self : Type.creusat_formula_formula) (a : Seq.seq uint8)
-end
-module CreuSat_Logic_LogicFormula_Impl1_UnsatInner
-  use Type
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  use mach.int.Int32
-  clone CreuSat_Logic_LogicClause_Impl2_UnsatInner_Interface as UnsatInner0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  predicate unsat_inner [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 155 4 155 55] (self : Type.creusat_formula_formula) (a : Seq.seq uint8)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 156 8 159 9] exists i : (int) . 0 <= i && i < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) && UnsatInner0.unsat_inner (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) i) a
-end
-module CreuSat_Logic_LogicFormula_Impl1_Unsat_Interface
-  use Type
-  predicate unsat (self : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
-end
-module CreuSat_Logic_LogicFormula_Impl1_Unsat
-  use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_UnsatInner_Interface as UnsatInner0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
-  predicate unsat [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 163 4 163 46] (self : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_formula.rs" 164 8 164 42] UnsatInner0.unsat_inner self (Model0.model a)
-end
-module CreuSat_Logic_LogicLit_Impl1_LitInInternal_Interface
-  use Type
-  use seq.Seq
-  predicate lit_in_internal (self : Type.creusat_lit_lit) (c : Seq.seq (Type.creusat_lit_lit))
-end
-module CreuSat_Logic_LogicLit_Impl1_LitInInternal
-  use Type
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  predicate lit_in_internal [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 54 4 54 53] (self : Type.creusat_lit_lit) (c : Seq.seq (Type.creusat_lit_lit))
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 55 8 57 9] exists i : (int) . 0 <= i && i < Seq.length c && Seq.get c i = self
-end
-module CreuSat_Logic_LogicLit_Impl1_IdxInTrail_Interface
-  use Type
-  predicate idx_in_trail (self : Type.creusat_lit_lit) (t : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global))
-    
-end
-module CreuSat_Logic_LogicLit_Impl1_IdxInTrail
-  use Type
-  use mach.int.Int
-  use mach.int.Int32
-  use seq.Seq
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  predicate idx_in_trail [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 121 4 121 51] (self : Type.creusat_lit_lit) (t : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global))
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_lit.rs" 122 8 125 9] exists i : (int) . 0 <= i && i < Seq.length (Model0.model t) && IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit (Seq.get (Model0.model t) i)) = IndexLogic0.index_logic self
-end
-module CreuSat_Logic_LogicTrail_Impl0_InvariantReasonNew_Interface
-  use Type
-  predicate invariant_reason_new (self : Type.creusat_trail_reason) (f : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
-    
-end
-module CreuSat_Logic_LogicTrail_Impl0_InvariantReasonNew
-  use Type
-  use mach.int.Int
-  use mach.int.Int32
-  use mach.int.UInt64
-  use seq.Seq
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner_Interface as SatInner0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner_Interface as UnsatInner0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model2
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  predicate invariant_reason_new [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 27 4 27 73] (self : Type.creusat_trail_reason) (f : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 28 8 42 9] match (self) with
-      | Type.CreuSat_Trail_Reason_Long cref -> 0 <= UInt64.to_int cref && UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) && Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) > 1 && (forall i : (int) . 1 <= i && i < Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) -> UnsatInner0.unsat_inner (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) i) (Model2.model a)) && SatInner0.sat_inner (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) 0) (Model2.model a)
-      | Type.CreuSat_Trail_Reason_Unit cref -> 0 <= UInt64.to_int cref && UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) && Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) = 1 && SatInner0.sat_inner (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) 0) (Model2.model a)
-      | _ -> true
-      end
-end
-module CreuSat_Logic_LogicTrail_Impl2_NewPostUnit_Interface
-  use Type
-  predicate new_post_unit (self : Type.creusat_trail_trail) (f : Type.creusat_formula_formula)
-end
-module CreuSat_Logic_LogicTrail_Impl2_NewPostUnit
-  use Type
-  use mach.int.Int
-  use mach.int.Int32
-  use seq.Seq
-  clone CreuSat_Logic_LogicTrail_Impl0_InvariantReasonNew_Interface as InvariantReasonNew0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  predicate new_post_unit [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 105 4 105 50] (self : Type.creusat_trail_trail) (f : Type.creusat_formula_formula)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 106 8 109 9] forall j : (int) . 0 <= j && j < Seq.length (Model0.model (Type.creusat_trail_trail_Trail_trail self)) -> InvariantReasonNew0.invariant_reason_new (Type.creusat_trail_step_Step_reason (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_trail self)) j)) f (Type.creusat_trail_trail_Trail_assignments self)
-end
-module CreuSat_Logic_LogicTrail_ClausePostWithRegardsTo_Interface
-  use Type
-  use mach.int.Int
-  predicate clause_post_with_regards_to (c : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments) (j : int)
-    
-end
-module CreuSat_Logic_LogicTrail_ClausePostWithRegardsTo
-  use Type
-  use mach.int.Int
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner_Interface as ClausePostWithRegardsToInner0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
-  predicate clause_post_with_regards_to [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 187 0 187 77] (c : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments) (j : int)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 188 4 190 5] ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner c (Model0.model a) j
-end
-module CreuSat_Logic_LogicTrail_ClausePostWithRegardsToLit_Interface
-  use Type
-  predicate clause_post_with_regards_to_lit (c : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments) (lit : Type.creusat_lit_lit)
-    
-end
-module CreuSat_Logic_LogicTrail_ClausePostWithRegardsToLit
-  use Type
-  use mach.int.UInt64
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner_Interface as ClausePostWithRegardsToInner0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
-  predicate clause_post_with_regards_to_lit [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 203 0 203 83] (c : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments) (lit : Type.creusat_lit_lit)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 204 4 206 5] ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner c (Model0.model a) (UInt64.to_int (Type.creusat_lit_lit_Lit_idx lit))
-end
-module CreuSat_Logic_LogicTrail_LongArePostUnit_Interface
-  use Type
-  predicate long_are_post_unit (trail : Type.creusat_trail_trail) (f : Type.creusat_formula_formula)
-end
-module CreuSat_Logic_LogicTrail_LongArePostUnit
-  use Type
-  use mach.int.Int
-  use mach.int.Int32
-  use seq.Seq
-  use mach.int.UInt64
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsTo_Interface as ClausePostWithRegardsTo0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  predicate long_are_post_unit [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 219 0 219 59] (trail : Type.creusat_trail_trail) (f : Type.creusat_formula_formula)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 220 4 226 5] forall j : (int) . 0 <= j && j < Seq.length (Model0.model (Type.creusat_trail_trail_Trail_trail trail)) -> match (Type.creusat_trail_step_Step_reason (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_trail trail)) j)) with
-      | Type.CreuSat_Trail_Reason_Long k -> ClausePostWithRegardsTo0.clause_post_with_regards_to (Seq.get (Model1.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int k)) (Type.creusat_trail_trail_Trail_assignments trail) (IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_trail trail)) j)))
-      | _ -> true
-      end
-end
-module CreuSat_Logic_LogicTrail_LemmaAssignMaintainsLongArePostUnit_Interface
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  use Type
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner_Interface as LongArePostUnitInner0
-  clone CreuSat_Logic_Logic_Unset_Interface as Unset0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicTrail_CrefsInRange_Interface as CrefsInRange0
-  clone CreuSat_Logic_LogicTrail_TrailInvariant_Interface as TrailInvariant0
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant_Interface as Invariant0
-  function lemma_assign_maintains_long_are_post_unit (v : Seq.seq (Type.creusat_trail_step)) (f : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments) (lit : Type.creusat_lit_lit) : ()
-    
-end
-module CreuSat_Logic_LogicTrail_LemmaAssignMaintainsLongArePostUnit
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  use Type
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner_Interface as LongArePostUnitInner0
-  clone CreuSat_Logic_Logic_Unset_Interface as Unset0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicTrail_CrefsInRange_Interface as CrefsInRange0
-  clone CreuSat_Logic_LogicTrail_TrailInvariant_Interface as TrailInvariant0
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant_Interface as Invariant0
-  function lemma_assign_maintains_long_are_post_unit [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 264 0 264 100] (v : Seq.seq (Type.creusat_trail_step)) (f : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments) (lit : Type.creusat_lit_lit) : ()
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 254 0 254 8] ()
-  axiom lemma_assign_maintains_long_are_post_unit_spec : forall v : Seq.seq (Type.creusat_trail_step), f : Type.creusat_formula_formula, a : Type.creusat_assignments_assignments, lit : Type.creusat_lit_lit . ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 255 0 255 27] Invariant0.invariant' a f) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 256 0 256 26] Invariant1.invariant' f) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 257 0 257 34] TrailInvariant0.trail_invariant v f) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 258 0 258 33] CrefsInRange0.crefs_in_range v f) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 259 0 259 39] Invariant2.invariant' lit (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 260 0 260 43] Unset0.unset (Seq.get (Model0.model a) (IndexLogic0.index_logic lit))) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 261 0 261 47] LongArePostUnitInner0.long_are_post_unit_inner v f (Model0.model a)) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 263 0 263 76] LongArePostUnitInner0.long_are_post_unit_inner v f (Seq.set (Model0.model a) (IndexLogic0.index_logic lit) (0 : uint8))) && ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 262 0 262 76] LongArePostUnitInner0.long_are_post_unit_inner v f (Seq.set (Model0.model a) (IndexLogic0.index_logic lit) (1 : uint8)))
-end
-module CreuSat_Logic_LogicTrail_LemmaAssignMaintainsLongArePostUnit_Impl
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  use Type
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model4 with function Model0.model = Model5.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant5 with function Model0.model = Model3.model,
-  function Model1.model = Model4.model
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model1 with function Model0.model = Model3.model
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model0 with function Model0.model = Model2.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant0 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model4.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model3.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant2 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant2.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant4 with function Model0.model = Model4.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant4.invariant',
-  function Model0.model = Model4.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model3.model,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model1.model = Model4.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model1.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant3 with predicate Invariant0.invariant' = Invariant2.invariant',
-  predicate Invariant1.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant3.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  let rec ghost function lemma_assign_maintains_long_are_post_unit (v : Seq.seq (Type.creusat_trail_step)) (f : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments) (lit : Type.creusat_lit_lit) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 255 0 255 27] Invariant0.invariant' a f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 256 0 256 26] Invariant1.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 257 0 257 34] TrailInvariant0.trail_invariant v f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 258 0 258 33] CrefsInRange0.crefs_in_range v f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 259 0 259 39] Invariant2.invariant' lit (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 260 0 260 43] Unset0.unset (Seq.get (Model0.model a) (IndexLogic0.index_logic lit))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 261 0 261 47] LongArePostUnitInner0.long_are_post_unit_inner v f (Model0.model a)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 262 0 262 76] LongArePostUnitInner0.long_are_post_unit_inner v f (Seq.set (Model0.model a) (IndexLogic0.index_logic lit) (1 : uint8)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 263 0 263 76] LongArePostUnitInner0.long_are_post_unit_inner v f (Seq.set (Model0.model a) (IndexLogic0.index_logic lit) (0 : uint8)) }
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 254 0 254 8] ()
-end
-module CreuSat_Logic_LogicTrail_LemmaPushMaintainsLitNotInLess_Interface
-  use seq.Seq
-  use Type
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner_Interface as LitNotInLessInner0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_Logic_Unset_Interface as Unset0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  function lemma_push_maintains_lit_not_in_less (t : Type.creusat_trail_trail) (f : Type.creusat_formula_formula) (step : Type.creusat_trail_step) : ()
-    
-end
-module CreuSat_Logic_LogicTrail_LemmaPushMaintainsLitNotInLess
-  use seq.Seq
-  use Type
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner_Interface as LitNotInLessInner0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_Logic_Unset_Interface as Unset0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  function lemma_push_maintains_lit_not_in_less [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 274 0 274 77] (t : Type.creusat_trail_trail) (f : Type.creusat_formula_formula) (step : Type.creusat_trail_step) : ()
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 267 0 267 8] ()
-  axiom lemma_push_maintains_lit_not_in_less_spec : forall t : Type.creusat_trail_trail, f : Type.creusat_formula_formula, step : Type.creusat_trail_step . ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 268 0 268 26] Invariant0.invariant' f) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 269 0 269 27] Invariant1.invariant' t f) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 270 0 270 60] Unset0.unset (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments t)) (IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit step)))) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 271 0 271 30] Invariant2.invariant' step f) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 272 0 272 47] LitNotInLessInner0.lit_not_in_less_inner (Model1.model (Type.creusat_trail_trail_Trail_trail t)) f) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 273 0 273 59] LitNotInLessInner0.lit_not_in_less_inner (Seq.snoc (Model1.model (Type.creusat_trail_trail_Trail_trail t)) step) f)
-end
-module CreuSat_Logic_LogicTrail_LemmaPushMaintainsLitNotInLess_Impl
-  use seq.Seq
-  use Type
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  use mach.int.UInt64
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model6 with function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant4 with function Model0.model = Model5.model,
-  function Model1.model = Model6.model
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model2 with function Model0.model = Model5.model
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model5.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant3 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant3.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant5 with function Model0.model = Model6.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model5.model,
-  predicate Invariant0.invariant' = Invariant5.invariant', function Model1.model = Model6.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model2.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant2 with predicate Invariant0.invariant' = Invariant3.invariant',
-  predicate Invariant1.invariant' = Invariant4.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant2.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model0 with function Model0.model = Model4.model
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model0.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model5.model,
-  function Model1.model = Model6.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant6 with function Model0.model = Model0.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model1.model,
-  function Model1.model = Model0.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model1.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model1.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model3.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model, predicate Invariant0.invariant' = Invariant2.invariant',
-  function Model2.model = Model3.model, function Model3.model = Model5.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant6.invariant', function Model0.model = Model1.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model3.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model0.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model3.model, function Model1.model = Model1.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  let rec ghost function lemma_push_maintains_lit_not_in_less (t : Type.creusat_trail_trail) (f : Type.creusat_formula_formula) (step : Type.creusat_trail_step) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 268 0 268 26] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 269 0 269 27] Invariant1.invariant' t f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 270 0 270 60] Unset0.unset (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments t)) (IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit step)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 271 0 271 30] Invariant2.invariant' step f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 272 0 272 47] LitNotInLessInner0.lit_not_in_less_inner (Model1.model (Type.creusat_trail_trail_Trail_trail t)) f}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 273 0 273 59] LitNotInLessInner0.lit_not_in_less_inner (Seq.snoc (Model1.model (Type.creusat_trail_trail_Trail_trail t)) step) f }
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_trail.rs" 267 0 267 8] ()
-end
-module CreuSat_Logic_LogicUtil_LastIdx_Interface
-  type t
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  function last_idx (s : Seq.seq t) : int
-end
-module CreuSat_Logic_LogicUtil_LastIdx
-  type t
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  function last_idx [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 77 0 77 36] (s : Seq.seq t) : int =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 78 4 78 27] Seq.length s - 1
-  axiom last_idx_spec : forall s : Seq.seq t . ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 76 0 76 24] Seq.length s > 0) -> true
-end
-module CreuSat_Logic_LogicUtil_LastIdx_Impl
-  type t
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  let rec ghost function last_idx (s : Seq.seq t) : int
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 76 0 76 24] Seq.length s > 0}
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 78 4 78 27] Seq.length s - 1
-end
-module CreuSat_Logic_LogicUtil_LastElem_Interface
-  type t
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  function last_elem (s : Seq.seq t) : t
-end
-module CreuSat_Logic_LogicUtil_LastElem
-  type t
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  function last_elem [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 84 0 84 35] (s : Seq.seq t) : t =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 85 4 85 30] Seq.get s (Seq.length s - 1)
-  axiom last_elem_spec : forall s : Seq.seq t . ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 83 0 83 24] Seq.length s > 0) -> true
-end
-module CreuSat_Logic_LogicUtil_LastElem_Impl
-  type t
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  let rec ghost function last_elem (s : Seq.seq t) : t
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 83 0 83 24] Seq.length s > 0}
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 85 4 85 30] Seq.get s (Seq.length s - 1)
-end
-module CreuSat_Logic_LogicUtil_LemmaPopMaintainsSorted_Interface
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  use mach.int.UInt64
-  clone CreuSat_Logic_LogicUtil_Pop_Interface as Pop0 with type t = usize, axiom .
-  clone CreuSat_Logic_LogicUtil_Sorted_Interface as Sorted0
-  function lemma_pop_maintains_sorted (s : Seq.seq usize) : ()
-end
-module CreuSat_Logic_LogicUtil_LemmaPopMaintainsSorted
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  use mach.int.UInt64
-  clone CreuSat_Logic_LogicUtil_Pop_Interface as Pop0 with type t = usize, axiom .
-  clone CreuSat_Logic_LogicUtil_Sorted_Interface as Sorted0
-  function lemma_pop_maintains_sorted [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 93 0 93 48] (s : Seq.seq usize) : ()
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 88 0 88 8] ()
-  axiom lemma_pop_maintains_sorted_spec : forall s : Seq.seq usize . ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 90 0 90 24] Seq.length s > 0) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 91 0 91 22] Sorted0.sorted s) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 92 0 92 26] Sorted0.sorted (Pop0.pop s))
-end
-module CreuSat_Logic_LogicUtil_LemmaPopMaintainsSorted_Impl
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  use mach.int.UInt64
-  clone CreuSat_Logic_LogicUtil_Pop as Pop0 with type t = usize, axiom .
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  let rec ghost function lemma_pop_maintains_sorted (s : Seq.seq usize) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 90 0 90 24] Seq.length s > 0}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 91 0 91 22] Sorted0.sorted s}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 92 0 92 26] Sorted0.sorted (Pop0.pop s) }
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_util.rs" 88 0 88 8] ()
-end
-module CreuSat_Logic_LogicWatches_WatchValid_Interface
-  use seq.Seq
-  use Type
-  predicate watch_valid (w : Seq.seq (Type.creusat_watches_watcher)) (f : Type.creusat_formula_formula)
-end
-module CreuSat_Logic_LogicWatches_WatchValid
-  use seq.Seq
-  use Type
-  use mach.int.Int
-  use mach.int.Int32
-  use mach.int.UInt64
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  predicate watch_valid [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 25 0 25 55] (w : Seq.seq (Type.creusat_watches_watcher)) (f : Type.creusat_formula_formula)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 26 4 31 5] forall j : (int) . 0 <= j && j < Seq.length w -> UInt64.to_int (Type.creusat_watches_watcher_Watcher_cref (Seq.get w j)) < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) && Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int (Type.creusat_watches_watcher_Watcher_cref (Seq.get w j))))) > 1 && IndexLogic0.index_logic (Type.creusat_watches_watcher_Watcher_blocker (Seq.get w j)) < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)
-end
-module CreuSat_Logic_LogicWatches_WatchesCrefsInRange_Interface
-  use seq.Seq
-  use Type
-  predicate watches_crefs_in_range (w : Seq.seq (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global))) (f : Type.creusat_formula_formula)
-    
-end
-module CreuSat_Logic_LogicWatches_WatchesCrefsInRange
-  use seq.Seq
-  use Type
-  use mach.int.Int
-  use mach.int.Int32
-  clone CreuSat_Logic_LogicWatches_WatcherCrefsInRange_Interface as WatcherCrefsInRange0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  predicate watches_crefs_in_range [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 43 0 43 71] (w : Seq.seq (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global))) (f : Type.creusat_formula_formula)
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 44 4 47 5] forall i : (int) . 0 <= i && i < Seq.length w -> WatcherCrefsInRange0.watcher_crefs_in_range (Model0.model (Seq.get w i)) f
-end
-module CreuSat_Logic_LogicWatches_LemmaPushMaintainsWatcherInvariant_Interface
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_WatcherCrefsInRange_Interface as WatcherCrefsInRange0
-  function lemma_push_maintains_watcher_invariant (w : Seq.seq (Type.creusat_watches_watcher)) (f : Type.creusat_formula_formula) (o : Type.creusat_watches_watcher) : ()
-    
-end
-module CreuSat_Logic_LogicWatches_LemmaPushMaintainsWatcherInvariant
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_WatcherCrefsInRange_Interface as WatcherCrefsInRange0
-  function lemma_push_maintains_watcher_invariant [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 62 0 62 86] (w : Seq.seq (Type.creusat_watches_watcher)) (f : Type.creusat_formula_formula) (o : Type.creusat_watches_watcher) : ()
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 57 0 57 8] ()
-  axiom lemma_push_maintains_watcher_invariant_spec : forall w : Seq.seq (Type.creusat_watches_watcher), f : Type.creusat_formula_formula, o : Type.creusat_watches_watcher . ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 59 0 59 41] WatcherCrefsInRange0.watcher_crefs_in_range w f) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 60 0 60 41] UInt64.to_int (Type.creusat_watches_watcher_Watcher_cref o) < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))) -> ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 61 0 61 48] WatcherCrefsInRange0.watcher_crefs_in_range (Seq.snoc w o) f)
-end
-module CreuSat_Logic_LogicWatches_LemmaPushMaintainsWatcherInvariant_Impl
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_WatcherCrefsInRange as WatcherCrefsInRange0 with function Model0.model = Model0.model
-  let rec ghost function lemma_push_maintains_watcher_invariant (w : Seq.seq (Type.creusat_watches_watcher)) (f : Type.creusat_formula_formula) (o : Type.creusat_watches_watcher) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 59 0 59 41] WatcherCrefsInRange0.watcher_crefs_in_range w f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 60 0 60 41] UInt64.to_int (Type.creusat_watches_watcher_Watcher_cref o) < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 61 0 61 48] WatcherCrefsInRange0.watcher_crefs_in_range (Seq.snoc w o) f }
-    
-   =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/logic/logic_watches.rs" 57 0 57 8] ()
-end
-module CreuSat_Solver_GetAssertingLevel_Interface
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  use Type
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner_Interface as NoDuplicateIndexesInner0
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner_Interface as VarsInRangeInner0
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy1
-  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model1 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy1.modelTy
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner_Interface as EquisatExtensionInner0
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val get_asserting_level [@cfg:stackify] (clause : Type.creusat_clause_clause) (trail : Type.creusat_trail_trail) (f : Type.creusat_formula_formula) : (usize, usize)
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 32 0 32 26] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 33 0 33 32] Invariant1.invariant' trail f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 34 0 34 49] EquisatExtensionInner0.equisat_extension_inner clause (Model0.model f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 35 0 35 42] Invariant2.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 36 0 36 32] Seq.length (Model1.model clause) > 1}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 37 0 37 54] VarsInRangeInner0.vars_in_range_inner (Model1.model clause) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 38 0 38 48] NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model1.model clause)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 39 0 39 39] UInt64.to_int (let (a, _) = result in a) < Seq.length (Model1.model clause) }
-    
-end
-module CreuSat_Solver_GetAssertingLevel
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model7 with function Model0.model = Model9.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant4 with function Model0.model = Model7.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model5 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant6 with function Model0.model = Model6.model,
-  function Model1.model = Model5.model
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model2 with function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner1 with function Model0.model = Model5.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model7.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model6.model,
-  function Model1.model = Model5.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model6.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant3 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant5 with predicate Invariant0.invariant' = Invariant3.invariant',
-  predicate Invariant1.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant3.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant2 with function Model0.model = Model5.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant2.invariant',
-  function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model6.model,
-  predicate Invariant0.invariant' = Invariant2.invariant', function Model1.model = Model5.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model2.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy1
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model1 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model2.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model4.model,
-  function Model1.model = Model7.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model4.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model4.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model3.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model7.model,
-  function Model1.model = Model4.model, predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model2.model = Model3.model, function Model3.model = Model6.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model0.model = Model4.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model3.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model7.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model3.model, function Model1.model = Model4.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy2 with type t = usize
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = usize
-  clone CreuSat_Lit_Impl1_Index_Interface as Index1 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Clause_Impl3_Len_Interface as Len0 with function Model0.model = Model1.model
-  clone CreuSat_Clause_Impl0_Index_Interface as Index0 with function Model0.model = Model1.model
-  clone Alloc_Vec_Impl16_Index_Interface as Index2 with type t = usize, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model3.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  let rec cfg get_asserting_level [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 40 0 40 89] (clause : Type.creusat_clause_clause) (trail : Type.creusat_trail_trail) (f : Type.creusat_formula_formula) : (usize, usize)
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 32 0 32 26] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 33 0 33 32] Invariant1.invariant' trail f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 34 0 34 49] EquisatExtensionInner0.equisat_extension_inner clause (Model0.model f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 35 0 35 42] Invariant2.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 36 0 36 32] Seq.length (Model1.model clause) > 1}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 37 0 37 54] VarsInRangeInner0.vars_in_range_inner (Model1.model clause) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 38 0 38 48] NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model1.model clause)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 39 0 39 39] UInt64.to_int (let (a, _) = result in a) < Seq.length (Model1.model clause) }
-    
-   =
-  var _0 : (usize, usize);
-  var clause_1 : Type.creusat_clause_clause;
-  var trail_2 : Type.creusat_trail_trail;
-  var f_3 : Type.creusat_formula_formula;
-  var max_i_4 : usize;
-  var max_level_5 : usize;
-  var _6 : usize;
-  var _7 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _8 : usize;
-  var _9 : Type.creusat_lit_lit;
-  var _10 : Type.creusat_lit_lit;
-  var _11 : Type.creusat_clause_clause;
-  var i_12 : usize;
-  var _13 : ();
-  var _14 : ();
-  var _15 : bool;
-  var _16 : usize;
-  var _17 : usize;
-  var _18 : Type.creusat_clause_clause;
-  var level_19 : usize;
-  var _20 : usize;
-  var _21 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _22 : usize;
-  var _23 : Type.creusat_lit_lit;
-  var _24 : Type.creusat_lit_lit;
-  var _25 : Type.creusat_clause_clause;
-  var _26 : usize;
-  var _27 : ();
-  var _28 : bool;
-  var _29 : usize;
-  var _30 : usize;
-  var _31 : usize;
-  var _32 : usize;
-  var _33 : ();
-  var _34 : ();
-  var _35 : ();
-  var _36 : usize;
-  var _37 : usize;
-  {
-    clause_1 <- clause;
-    trail_2 <- trail;
-    f_3 <- f;
-    goto BB0
-  }
-  BB0 {
-    max_i_4 <- (1 : usize);
-    _7 <- Type.creusat_trail_trail_Trail_lit_to_level trail_2;
-    _11 <- clause_1;
-    _10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 42 43 42 52] Index0.index _11 (1 : usize));
-    goto BB1
-  }
-  BB1 {
-    _9 <- _10;
-    _8 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 42 43 42 60] Index1.index _9);
-    goto BB2
-  }
-  BB2 {
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 42 24 42 61] Index2.index _7 _8);
-    goto BB3
-  }
-  BB3 {
-    max_level_5 <- _6;
-    i_12 <- (2 : usize);
-    goto BB4
-  }
-  BB4 {
-    invariant max_i_less { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 44 4 44 54] UInt64.to_int max_i_4 < Seq.length (Model1.model clause_1) };
-    _16 <- i_12;
-    _18 <- clause_1;
-    _17 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 45 14 45 26] Len0.len _18);
-    goto BB5
-  }
-  BB5 {
-    _15 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 45 10 45 26] _16 < _17);
-    switch (_15)
-      | False -> goto BB13
-      | _ -> goto BB6
-      end
-  }
-  BB6 {
-    _21 <- Type.creusat_trail_trail_Trail_lit_to_level trail_2;
-    _25 <- clause_1;
-    _26 <- i_12;
-    _24 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 46 39 46 48] Index0.index _25 _26);
-    goto BB7
-  }
-  BB7 {
-    _23 <- _24;
-    _22 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 46 39 46 56] Index1.index _23);
-    goto BB8
-  }
-  BB8 {
-    _20 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 46 20 46 57] Index2.index _21 _22);
-    goto BB9
-  }
-  BB9 {
-    level_19 <- _20;
-    _29 <- level_19;
-    _30 <- max_level_5;
-    _28 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 47 11 47 28] _29 > _30);
-    switch (_28)
-      | False -> goto BB11
-      | _ -> goto BB10
-      end
-  }
-  BB10 {
-    _31 <- level_19;
-    max_level_5 <- _31;
-    _32 <- i_12;
-    max_i_4 <- _32;
-    _27 <- ();
-    goto BB12
-  }
-  BB11 {
-    _27 <- ();
-    goto BB12
-  }
-  BB12 {
-    i_12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 51 8 51 14] i_12 + (1 : usize));
-    _14 <- ();
-    goto BB4
-  }
-  BB13 {
-    _13 <- ();
-    _36 <- max_i_4;
-    _37 <- max_level_5;
-    _0 <- (_36, _37);
-    return _0
-  }
-  
-end
-module Core_Ops_Index_IndexMut_IndexMut_Interface
-  type self
-  type idx
-  use prelude.Prelude
-  clone Core_Ops_Index_Index_Output as Output0 with type self = self, type idx = idx
-  val index_mut [@cfg:stackify] (self : borrowed self) (index : idx) : borrowed Output0.output
-    requires {false}
-    
-end
-module Core_Ops_Index_IndexMut_IndexMut
-  type self
-  type idx
-  use prelude.Prelude
-  clone Core_Ops_Index_Index_Output as Output0 with type self = self, type idx = idx
-  val index_mut [@cfg:stackify] (self : borrowed self) (index : idx) : borrowed Output0.output
-    requires {false}
-    
-end
-module CreuSat_Assignments_Impl1
-  use mach.int.Int
-  use prelude.Prelude
-  use prelude.UInt8
-  use Type
-  use mach.int.UInt64
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model1 with function Model0.model = Model2.model
-  clone CreuSat_Assignments_Impl0_Output as Output0
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model0 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Assignments_Impl1_IndexMut_Interface as IndexMut0 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model
-  clone Core_Ops_Index_IndexMut_IndexMut_Interface as IndexMut1 with type self = Type.creusat_assignments_assignments,
-  type idx = usize, val index_mut = IndexMut0.index_mut, type Output0.output = Output0.output
-end
-module CreuSat_Trail_Impl0_Backstep_Interface
-  use mach.int.UInt64
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  use Type
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner_Interface as LongArePostUnitInner0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model1
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror_Interface as InvariantNoDecisionMirror0
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision_Interface as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  axiom .
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val backstep [@cfg:stackify] (self : borrowed (Type.creusat_trail_trail)) (f : Type.creusat_formula_formula) : usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 58 4 58 30] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 59 4 59 32] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) > 0}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 60 4 60 54] InvariantNoDecision0.invariant_no_decision ( * self) f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 61 4 61 77] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model (Type.creusat_trail_trail_Trail_trail ( * self))) f (Model1.model (Type.creusat_trail_trail_Trail_assignments ( * self)))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 60 4 60 54] InvariantNoDecision0.invariant_no_decision ( ^ self) f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 62 4 62 86] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) f (Model1.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 63 4 63 37] UInt64.to_int result < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) }
-    
-end
-module CreuSat_Trail_Impl0_Backstep
-  use mach.int.UInt64
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model6 with function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicUtil_Pop as Pop0 with type t = Type.creusat_trail_step, axiom .
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant4 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant4.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant2 with function Model0.model = Model6.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant2.invariant',
-  function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant5 with function Model0.model = Model5.model,
-  function Model1.model = Model6.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant3 with predicate Invariant0.invariant' = Invariant4.invariant',
-  predicate Invariant1.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant3.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model5.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model2 with function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model5.model,
-  predicate Invariant0.invariant' = Invariant2.invariant', function Model1.model = Model6.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model2.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model1 with function Model0.model = Model4.model
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model1.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model5.model,
-  function Model1.model = Model6.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant1 with function Model0.model = Model1.model
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model3.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model1.model,
-  function Model1.model = Model0.model, predicate Invariant0.invariant' = Invariant3.invariant',
-  function Model2.model = Model3.model, function Model3.model = Model5.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model0.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model0.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant1.invariant', function Model0.model = Model0.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model3.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model1.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  use mach.int.Int64
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = usize
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = usize
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = uint8
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_trail_trail
-  clone CreuSat_Lit_Impl1_Index_Interface as Index0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model8 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Assignments_Impl1_IndexMut_Interface as IndexMut0 with function Model0.model = Model8.model,
-  function Model1.model = Model1.model
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut1 with type t = usize, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model3.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  clone Alloc_Vec_Impl1_Pop_Interface as Pop1 with type t = Type.creusat_trail_step, type a = Type.alloc_alloc_global,
-  function Model0.model = Model0.model
-  let rec cfg backstep [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 65 4 65 48] (self : borrowed (Type.creusat_trail_trail)) (f : Type.creusat_formula_formula) : usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 58 4 58 30] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 59 4 59 32] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) > 0}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 60 4 60 54] InvariantNoDecision0.invariant_no_decision ( * self) f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 61 4 61 77] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model (Type.creusat_trail_trail_Trail_trail ( * self))) f (Model1.model (Type.creusat_trail_trail_Trail_assignments ( * self)))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 60 4 60 54] InvariantNoDecision0.invariant_no_decision ( ^ self) f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 62 4 62 86] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) f (Model1.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 63 4 63 37] UInt64.to_int result < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) }
-    
-   =
-  var _0 : usize;
-  var self_1 : borrowed (Type.creusat_trail_trail);
-  var f_2 : Type.creusat_formula_formula;
-  var _3 : ();
-  ghost var old_t_4 : borrowed (Type.creusat_trail_trail);
-  var _5 : ();
-  var last_6 : Type.core_option_option (Type.creusat_trail_step);
-  var _7 : borrowed (Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global));
-  var _8 : ();
-  var _9 : isize;
-  var step_10 : Type.creusat_trail_step;
-  var _11 : ();
-  var _12 : borrowed uint8;
-  var _13 : borrowed (Type.creusat_assignments_assignments);
-  var _14 : usize;
-  var _15 : Type.creusat_lit_lit;
-  var _16 : ();
-  var _17 : ();
-  var _18 : borrowed usize;
-  var _19 : borrowed (Type.alloc_vec_vec usize (Type.alloc_alloc_global));
-  var _20 : usize;
-  var _21 : Type.creusat_lit_lit;
-  var _22 : ();
-  var _23 : Type.creusat_lit_lit;
-  var _24 : ();
-  var _25 : ();
-  var _26 : ();
-  var _27 : ();
-  var _28 : ();
-  var _29 : ();
-  {
-    self_1 <- self;
-    f_2 <- f;
-    goto BB0
-  }
-  BB0 {
-    _5 <- ();
-    old_t_4 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 66 20 66 35] self_1);
-    goto BB1
-  }
-  BB1 {
-    _7 <- borrow_mut (Type.creusat_trail_trail_Trail_trail ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Trail_Trail a b c d e =  * self_1 in Type.CreuSat_Trail_Trail a b ( ^ _7) d e) };
-    last_6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 68 19 68 35] Pop1.pop _7);
-    goto BB2
-  }
-  BB2 {
-    switch (last_6)
-      | Type.Core_Option_Option_None -> goto BB3
-      | Type.Core_Option_Option_Some _ -> goto BB5
-      end
-  }
-  BB3 {
-    assume { Resolve0.resolve self_1 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 85 16 85 98] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model (Type.creusat_trail_trail_Trail_trail ( * self_1))) f_2 (Model1.model (Type.creusat_trail_trail_Trail_assignments ( * self_1))) && true };
-    _24 <- ();
-    _8 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 88 8 88 53] Invariant1.invariant' (Type.creusat_trail_trail_Trail_assignments ( * self_1)) f_2 };
-    _25 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 92 8 92 47] LitNotInLess0.lit_not_in_less ( * self_1) f_2 };
-    _26 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 93 8 93 43] LitIsUnique0.lit_is_unique ( * self_1) };
-    _27 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 94 8 94 83] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model (Type.creusat_trail_trail_Trail_trail ( * self_1))) f_2 (Model1.model (Type.creusat_trail_trail_Trail_assignments ( * self_1))) };
-    _28 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 95 8 95 56] TrailEntriesAreAssigned0.trail_entries_are_assigned ( * self_1) };
-    _29 <- ();
-    _0 <- (0 : usize);
-    goto BB11
-  }
-  BB4 {
-    assume { Resolve0.resolve self_1 };
-    absurd
-  }
-  BB5 {
-    step_10 <- Type.core_option_option_Some_0 last_6;
-    _13 <- borrow_mut (Type.creusat_trail_trail_Trail_assignments ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Trail_Trail a b c d e =  * self_1 in Type.CreuSat_Trail_Trail ( ^ _13) b c d e) };
-    _15 <- Type.creusat_trail_step_Step_lit step_10;
-    _14 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 72 33 72 49] Index0.index _15);
-    goto BB6
-  }
-  BB6 {
-    _12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 72 16 72 50] IndexMut0.index_mut _13 _14);
-    goto BB7
-  }
-  BB7 {
-    _12 <- { _12 with current = ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 72 16 72 55]  * _12 + (2 : uint8)) };
-    assume { Resolve1.resolve _12 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 74 16 74 63] Model0.model (Type.creusat_trail_trail_Trail_trail ( * self_1)) = Pop0.pop (Model0.model (Type.creusat_trail_trail_Trail_trail ( * old_t_4))) };
-    _16 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 75 16 75 54]  ^ old_t_4 =  ^ self_1 };
-    _17 <- ();
-    _19 <- borrow_mut (Type.creusat_trail_trail_Trail_lit_to_level ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Trail_Trail a b c d e =  * self_1 in Type.CreuSat_Trail_Trail a ( ^ _19) c d e) };
-    assume { Resolve0.resolve self_1 };
-    _21 <- Type.creusat_trail_step_Step_lit step_10;
-    _20 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 77 34 77 50] Index0.index _21);
-    goto BB8
-  }
-  BB8 {
-    _18 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 77 16 77 51] IndexMut1.index_mut _19 _20);
-    goto BB9
-  }
-  BB9 {
-    _18 <- { _18 with current = (18446744073709551615 : usize) };
-    assume { Resolve2.resolve _18 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 79 16 79 91] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model (Type.creusat_trail_trail_Trail_trail ( * self_1))) f_2 (Model1.model (Type.creusat_trail_trail_Trail_assignments ( * self_1))) };
-    _22 <- ();
-    _23 <- Type.creusat_trail_step_Step_lit step_10;
-    _0 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 80 23 80 39] Index0.index _23);
-    goto BB10
-  }
-  BB10 {
-    goto BB11
-  }
-  BB11 {
-    return _0
-  }
-  
-end
-module CreuSat_Trail_Impl0_BacktrackTo_Interface
-  use seq.Seq
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use Type
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner_Interface as LongArePostUnitInner0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model2
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = usize, type a = Type.alloc_alloc_global,
-  axiom .
-  val backtrack_to [@cfg:stackify] (self : borrowed (Type.creusat_trail_trail)) (level : usize) (f : Type.creusat_formula_formula) (d : borrowed (Type.creusat_decision_decisions)) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 113 4 113 49] Seq.length (Model0.model (Type.creusat_trail_trail_Trail_decisions ( * self))) > UInt64.to_int level}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 114 4 114 30] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 115 4 115 42] Invariant1.invariant' ( * self) f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 116 4 116 48] Invariant2.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 118 4 118 77] LongArePostUnitInner0.long_are_post_unit_inner (Model1.model (Type.creusat_trail_trail_Trail_trail ( * self))) f (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self)))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 115 4 115 42] Invariant1.invariant' ( ^ self) f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 116 4 116 48] Invariant2.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 119 4 119 86] LongArePostUnitInner0.long_are_post_unit_inner (Model1.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) f (Model2.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) }
-    
-end
-module CreuSat_Trail_Impl0_BacktrackTo
-  use seq.Seq
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use Type
-  use mach.int.Int32
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model7 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicUtil_Pop as Pop0 with type t = usize, axiom .
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreuSat_Logic_LogicUtil_LemmaPopMaintainsSorted as LemmaPopMaintainsSorted0 with predicate Sorted0.sorted = Sorted0.sorted,
-  function Pop0.pop = Pop0.pop, axiom .
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant6 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant4 with function Model0.model = Model7.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant4.invariant',
-  function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model7.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model7.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant7 with function Model0.model = Model6.model,
-  function Model1.model = Model7.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant5 with predicate Invariant0.invariant' = Invariant6.invariant',
-  predicate Invariant1.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model6.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model4 with function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model6.model,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model1.model = Model7.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model4.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model2 with function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model2.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model6.model,
-  function Model1.model = Model7.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant3 with function Model0.model = Model2.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_decision_node,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant2 with function Model0.model = Model3.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model1.model,
-  function Model1.model = Model2.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model1.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model1.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model0.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model2.model,
-  function Model1.model = Model1.model, predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model2.model = Model0.model, function Model3.model = Model6.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model0.model = Model1.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model0.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model2.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model0.model, function Model1.model = Model1.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  use mach.int.Int64
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_trail_trail
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_decision_decisions
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = Type.creusat_decision_node
-  clone Core_Slice_Index_Impl2_Output as Output1 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue1 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds1 with type t = Type.creusat_decision_node
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = usize
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = usize
-  clone Alloc_Vec_Impl16_Index_Interface as Index1 with type t = Type.creusat_decision_node, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model3.model,
-  predicate InBounds0.in_bounds = InBounds1.in_bounds, predicate HasValue0.has_value = HasValue1.has_value,
-  type Output0.output = Output1.output
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_trail_step, type a = Type.alloc_alloc_global,
-  function Model0.model = Model1.model
-  clone Alloc_Vec_Impl1_Pop_Interface as Pop1 with type t = usize, type a = Type.alloc_alloc_global,
-  function Model0.model = Model0.model
-  clone Alloc_Vec_Impl1_Len_Interface as Len1 with type t = usize, type a = Type.alloc_alloc_global,
-  function Model0.model = Model0.model
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = usize, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model0.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  clone CreuSat_Trail_Impl0_Backstep_Interface as Backstep0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model1.model, function Model1.model = Model2.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  let rec cfg backtrack_to [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 121 4 121 80] (self : borrowed (Type.creusat_trail_trail)) (level : usize) (f : Type.creusat_formula_formula) (d : borrowed (Type.creusat_decision_decisions)) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 113 4 113 49] Seq.length (Model0.model (Type.creusat_trail_trail_Trail_decisions ( * self))) > UInt64.to_int level}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 114 4 114 30] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 115 4 115 42] Invariant1.invariant' ( * self) f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 116 4 116 48] Invariant2.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 118 4 118 77] LongArePostUnitInner0.long_are_post_unit_inner (Model1.model (Type.creusat_trail_trail_Trail_trail ( * self))) f (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self)))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 115 4 115 42] Invariant1.invariant' ( ^ self) f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 116 4 116 48] Invariant2.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 119 4 119 86] LongArePostUnitInner0.long_are_post_unit_inner (Model1.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) f (Model2.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) }
-    
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_trail_trail);
-  var level_2 : usize;
-  var f_3 : Type.creusat_formula_formula;
-  var d_4 : borrowed (Type.creusat_decision_decisions);
-  ghost var old_t_5 : borrowed (Type.creusat_trail_trail);
-  var _6 : ();
-  ghost var old_d_7 : borrowed (Type.creusat_decision_decisions);
-  var _8 : ();
-  var how_many_9 : usize;
-  var _10 : usize;
-  var _11 : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global);
-  var _12 : usize;
-  var _13 : usize;
-  var _14 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _15 : usize;
-  var des_16 : usize;
-  var _17 : usize;
-  var _18 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _19 : usize;
-  var i_20 : usize;
-  var curr_21 : usize;
-  var timestamp_22 : usize;
-  var _23 : bool;
-  var _24 : usize;
-  var _25 : Type.creusat_decision_node;
-  var _26 : Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global);
-  var _27 : usize;
-  var _28 : ();
-  var _29 : ();
-  var _30 : bool;
-  var _31 : usize;
-  var _32 : usize;
-  var idx_33 : usize;
-  var _34 : borrowed (Type.creusat_trail_trail);
-  var _35 : Type.creusat_formula_formula;
-  var _36 : ();
-  var curr_timestamp_37 : usize;
-  var _38 : Type.creusat_decision_node;
-  var _39 : Type.alloc_vec_vec (Type.creusat_decision_node) (Type.alloc_alloc_global);
-  var _40 : usize;
-  var _41 : ();
-  var _42 : bool;
-  var _43 : usize;
-  var _44 : usize;
-  var _45 : usize;
-  var _46 : usize;
-  var _47 : ();
-  var _48 : ();
-  var _49 : ();
-  var _50 : usize;
-  var _51 : ();
-  var _52 : bool;
-  var _53 : usize;
-  var _54 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _55 : usize;
-  ghost var old_t2_56 : borrowed (Type.creusat_trail_trail);
-  var _57 : ();
-  var _58 : ();
-  var _59 : ();
-  var _60 : ();
-  var _61 : ();
-  var _62 : Type.core_option_option usize;
-  var _63 : borrowed (Type.alloc_vec_vec usize (Type.alloc_alloc_global));
-  var _64 : isize;
-  var _65 : ();
-  var _66 : ();
-  var _67 : ();
-  var _68 : ();
-  var _69 : ();
-  var _70 : ();
-  var _71 : ();
-  var _72 : ();
-  var _73 : ();
-  var _74 : bool;
-  var _75 : bool;
-  var _76 : usize;
-  var _77 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _78 : bool;
-  var _79 : usize;
-  var _80 : usize;
-  var _81 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _82 : usize;
-  var _83 : usize;
-  var _84 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _85 : usize;
-  var _86 : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global);
-  ghost var old_t3_87 : borrowed (Type.creusat_trail_trail);
-  var _88 : ();
-  var _89 : ();
-  var _90 : ();
-  var _91 : ();
-  var _92 : ();
-  var _93 : Type.core_option_option usize;
-  var _94 : borrowed (Type.alloc_vec_vec usize (Type.alloc_alloc_global));
-  var _95 : isize;
-  var _96 : ();
-  var _97 : ();
-  var _98 : ();
-  var _99 : ();
-  var _100 : ();
-  var _101 : ();
-  var _102 : ();
-  var _103 : ();
-  var _104 : ();
-  var _105 : ();
-  var _106 : ();
-  var _107 : ();
-  var _108 : ();
-  var _109 : ();
-  var _110 : ();
-  var _111 : usize;
-  {
-    self_1 <- self;
-    level_2 <- level;
-    f_3 <- f;
-    d_4 <- d;
-    goto BB0
-  }
-  BB0 {
-    _6 <- ();
-    old_t_5 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 122 20 122 35] self_1);
-    goto BB1
-  }
-  BB1 {
-    _8 <- ();
-    old_d_7 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 123 20 123 32] d_4);
-    goto BB2
-  }
-  BB2 {
-    _11 <- Type.creusat_trail_trail_Trail_trail ( * self_1);
-    _10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 124 23 124 39] Len0.len _11);
-    goto BB3
-  }
-  BB3 {
-    _14 <- Type.creusat_trail_trail_Trail_decisions ( * self_1);
-    _15 <- level_2;
-    _13 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 124 42 124 63] Index0.index _14 _15);
-    goto BB4
-  }
-  BB4 {
-    _12 <- _13;
-    how_many_9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 124 23 124 63] _10 - _12);
-    _18 <- Type.creusat_trail_trail_Trail_decisions ( * self_1);
-    _19 <- level_2;
-    _17 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 125 18 125 39] Index0.index _18 _19);
-    goto BB5
-  }
-  BB5 {
-    des_16 <- _17;
-    i_20 <- (0 : usize);
-    curr_21 <- Type.creusat_decision_decisions_Decisions_search ( * d_4);
-    _24 <- curr_21;
-    _23 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 128 31 128 49] _24 <> (18446744073709551615 : usize));
-    switch (_23)
-      | False -> goto BB8
-      | _ -> goto BB6
-      end
-  }
-  BB6 {
-    _26 <- Type.creusat_decision_decisions_Decisions_linked_list ( * d_4);
-    _27 <- curr_21;
-    _25 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 128 52 128 71] Index1.index _26 _27);
-    goto BB7
-  }
-  BB7 {
-    timestamp_22 <- Type.creusat_decision_node_Node_ts _25;
-    goto BB9
-  }
-  BB8 {
-    timestamp_22 <- (0 : usize);
-    goto BB9
-  }
-  BB9 {
-    goto BB10
-  }
-  BB10 {
-    invariant i_less2 { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 129 8 129 57] UInt64.to_int i_20 <= Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail ( * old_t_5))) };
-    invariant i_less { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 130 8 130 43] i_20 <= how_many_9 };
-    invariant post_unit { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 131 8 131 93] LongArePostUnitInner0.long_are_post_unit_inner (Model1.model (Type.creusat_trail_trail_Trail_trail ( * self_1))) f_3 (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self_1))) };
-    invariant inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 132 8 132 57] InvariantNoDecision0.invariant_no_decision ( * self_1) f_3 };
-    invariant d_inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 133 8 133 53] Invariant2.invariant' ( * d_4) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_3)) };
-    invariant proph { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 135 8 135 52]  ^ old_t_5 =  ^ self_1 };
-    invariant proph_d { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 136 8 136 51]  ^ old_d_7 =  ^ d_4 };
-    invariant curr_less { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 137 8 137 87] UInt64.to_int curr_21 < Seq.length (Model3.model (Type.creusat_decision_decisions_Decisions_linked_list ( * d_4))) || UInt64.to_int curr_21 = 18446744073709551615 };
-    _31 <- i_20;
-    _32 <- how_many_9;
-    _30 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 139 14 139 26] _31 < _32);
-    switch (_30)
-      | False -> goto BB17
-      | _ -> goto BB11
-      end
-  }
-  BB11 {
-    _34 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _34) };
-    _35 <- f_3;
-    idx_33 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 140 22 140 38] Backstep0.backstep _34 _35);
-    goto BB12
-  }
-  BB12 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 141 12 141 45] UInt64.to_int idx_33 < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_3) };
-    _36 <- ();
-    _39 <- Type.creusat_decision_decisions_Decisions_linked_list ( * d_4);
-    _40 <- idx_33;
-    _38 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 142 33 142 51] Index1.index _39 _40);
-    goto BB13
-  }
-  BB13 {
-    curr_timestamp_37 <- Type.creusat_decision_node_Node_ts _38;
-    _43 <- curr_timestamp_37;
-    _44 <- timestamp_22;
-    _42 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 143 15 143 41] _43 > _44);
-    switch (_42)
-      | False -> goto BB15
-      | _ -> goto BB14
-      end
-  }
-  BB14 {
-    _45 <- curr_timestamp_37;
-    timestamp_22 <- _45;
-    _46 <- idx_33;
-    curr_21 <- _46;
-    _41 <- ();
-    goto BB16
-  }
-  BB15 {
-    _41 <- ();
-    goto BB16
-  }
-  BB16 {
-    i_20 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 147 12 147 18] i_20 + (1 : usize));
-    _29 <- ();
-    goto BB10
-  }
-  BB17 {
-    _28 <- ();
-    _50 <- curr_21;
-    d_4 <- { d_4 with current = (let Type.CreuSat_Decision_Decisions a b c d =  * d_4 in Type.CreuSat_Decision_Decisions a b c _50) };
-    assume { Resolve0.resolve d_4 };
-    goto BB18
-  }
-  BB18 {
-    invariant post_unit { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 151 8 151 93] LongArePostUnitInner0.long_are_post_unit_inner (Model1.model (Type.creusat_trail_trail_Trail_trail ( * self_1))) f_3 (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self_1))) };
-    invariant inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 152 8 152 57] InvariantNoDecision0.invariant_no_decision ( * self_1) f_3 };
-    invariant proph { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 153 8 153 52]  ^ old_t_5 =  ^ self_1 };
-    _54 <- Type.creusat_trail_trail_Trail_decisions ( * self_1);
-    _53 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 154 14 154 34] Len1.len _54);
-    goto BB19
-  }
-  BB19 {
-    _55 <- level_2;
-    _52 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 154 14 154 42] _53 > _55);
-    switch (_52)
-      | False -> goto BB26
-      | _ -> goto BB20
-      end
-  }
-  BB20 {
-    _57 <- ();
-    old_t2_56 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 155 25 155 40] self_1);
-    goto BB21
-  }
-  BB21 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 156 12 156 50] Sorted0.sorted (Model0.model (Type.creusat_trail_trail_Trail_decisions ( * self_1))) };
-    _58 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 157 12 157 54] Seq.length (Model0.model (Type.creusat_trail_trail_Trail_decisions ( * self_1))) > 0 };
-    _59 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 158 12 158 76] let _ = LemmaPopMaintainsSorted0.lemma_pop_maintains_sorted (Model0.model (Type.creusat_trail_trail_Trail_decisions ( * self_1))) in true };
-    _60 <- ();
-    _63 <- borrow_mut (Type.creusat_trail_trail_Trail_decisions ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Trail_Trail a b c d e =  * self_1 in Type.CreuSat_Trail_Trail a b c d ( ^ _63)) };
-    _62 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 159 18 159 38] Pop1.pop _63);
-    goto BB22
-  }
-  BB22 {
-    switch (_62)
-      | Type.Core_Option_Option_None -> goto BB23
-      | Type.Core_Option_Option_Some _ -> goto BB25
-      end
-  }
-  BB23 {
-    assume { Resolve1.resolve self_1 };
-    absurd
-  }
-  BB24 {
-    assume { Resolve1.resolve self_1 };
-    absurd
-  }
-  BB25 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 161 20 161 76] Model0.model (Type.creusat_trail_trail_Trail_decisions ( * self_1)) = Pop0.pop (Model0.model (Type.creusat_trail_trail_Trail_decisions ( * old_t2_56))) };
-    _65 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 162 20 162 61]  ^ old_t2_56 =  ^ self_1 };
-    _66 <- ();
-    _61 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 168 12 168 50] Sorted0.sorted (Model0.model (Type.creusat_trail_trail_Trail_decisions ( * self_1))) };
-    _69 <- ();
-    _29 <- ();
-    goto BB18
-  }
-  BB26 {
-    _51 <- ();
-    goto BB27
-  }
-  BB27 {
-    invariant post_unit { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 171 8 171 93] LongArePostUnitInner0.long_are_post_unit_inner (Model1.model (Type.creusat_trail_trail_Trail_trail ( * self_1))) f_3 (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self_1))) };
-    invariant inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 172 8 172 57] InvariantNoDecision0.invariant_no_decision ( * self_1) f_3 };
-    invariant proph { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 173 8 173 52]  ^ old_t_5 =  ^ self_1 };
-    _77 <- Type.creusat_trail_trail_Trail_decisions ( * self_1);
-    _76 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 174 14 174 34] Len1.len _77);
-    goto BB31
-  }
-  BB28 {
-    _74 <- false;
-    goto BB30
-  }
-  BB29 {
-    _81 <- Type.creusat_trail_trail_Trail_decisions ( * self_1);
-    _84 <- Type.creusat_trail_trail_Trail_decisions ( * self_1);
-    _83 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 174 57 174 77] Len1.len _84);
-    goto BB32
-  }
-  BB30 {
-    switch (_74)
-      | False -> goto BB41
-      | _ -> goto BB35
-      end
-  }
-  BB31 {
-    _75 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 174 14 174 38] _76 > (0 : usize));
-    switch (_75)
-      | False -> goto BB28
-      | _ -> goto BB29
-      end
-  }
-  BB32 {
-    _82 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 174 57 174 81] _83 - (1 : usize));
-    _80 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 174 42 174 82] Index0.index _81 _82);
-    goto BB33
-  }
-  BB33 {
-    _79 <- _80;
-    _86 <- Type.creusat_trail_trail_Trail_trail ( * self_1);
-    _85 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 174 85 174 101] Len0.len _86);
-    goto BB34
-  }
-  BB34 {
-    _78 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 174 42 174 101] _79 > _85);
-    _74 <- _78;
-    goto BB30
-  }
-  BB35 {
-    _88 <- ();
-    old_t3_87 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 175 25 175 40] self_1);
-    goto BB36
-  }
-  BB36 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 176 12 176 50] Sorted0.sorted (Model0.model (Type.creusat_trail_trail_Trail_decisions ( * self_1))) };
-    _89 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 177 12 177 54] Seq.length (Model0.model (Type.creusat_trail_trail_Trail_decisions ( * self_1))) > 0 };
-    _90 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 178 12 178 76] let _ = LemmaPopMaintainsSorted0.lemma_pop_maintains_sorted (Model0.model (Type.creusat_trail_trail_Trail_decisions ( * self_1))) in true };
-    _91 <- ();
-    _94 <- borrow_mut (Type.creusat_trail_trail_Trail_decisions ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Trail_Trail a b c d e =  * self_1 in Type.CreuSat_Trail_Trail a b c d ( ^ _94)) };
-    _93 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 180 18 180 38] Pop1.pop _94);
-    goto BB37
-  }
-  BB37 {
-    switch (_93)
-      | Type.Core_Option_Option_None -> goto BB38
-      | Type.Core_Option_Option_Some _ -> goto BB40
-      end
-  }
-  BB38 {
-    assume { Resolve1.resolve self_1 };
-    absurd
-  }
-  BB39 {
-    assume { Resolve1.resolve self_1 };
-    absurd
-  }
-  BB40 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 182 20 182 78] Model0.model (Type.creusat_trail_trail_Trail_decisions ( * self_1)) = Pop0.pop (Model0.model (Type.creusat_trail_trail_Trail_decisions ( * old_t3_87))) };
-    _96 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 183 20 183 61]  ^ old_t3_87 =  ^ self_1 };
-    _97 <- ();
-    _92 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 189 12 189 78] let _ = LemmaPopMaintainsSorted0.lemma_pop_maintains_sorted (Model0.model (Type.creusat_trail_trail_Trail_decisions ( * old_t3_87))) in true };
-    _100 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 190 12 190 50] Sorted0.sorted (Model0.model (Type.creusat_trail_trail_Trail_decisions ( * self_1))) };
-    _101 <- ();
-    _29 <- ();
-    goto BB27
-  }
-  BB41 {
-    _73 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 192 8 195 9] Seq.length (Model0.model (Type.creusat_trail_trail_Trail_decisions ( * self_1))) = 0 || UInt64.to_int (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_decisions ( * self_1))) (Seq.length (Model0.model (Type.creusat_trail_trail_Trail_decisions ( * self_1))) - 1)) <= Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail ( * self_1))) };
-    _105 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 197 8 197 53] Invariant3.invariant' (Type.creusat_trail_trail_Trail_assignments ( * self_1)) f_3 };
-    _106 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 200 8 200 47] LitNotInLess0.lit_not_in_less ( * self_1) f_3 };
-    _107 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 201 8 201 43] LitIsUnique0.lit_is_unique ( * self_1) };
-    _108 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 202 8 202 83] LongArePostUnitInner0.long_are_post_unit_inner (Model1.model (Type.creusat_trail_trail_Trail_trail ( * self_1))) f_3 (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self_1))) };
-    _109 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 203 8 203 56] TrailEntriesAreAssigned0.trail_entries_are_assigned ( * self_1) };
-    _110 <- ();
-    _111 <- level_2;
-    self_1 <- { self_1 with current = (let Type.CreuSat_Trail_Trail a b c d e =  * self_1 in Type.CreuSat_Trail_Trail a b c _111 e) };
-    assume { Resolve1.resolve self_1 };
-    _0 <- ();
-    return _0
-  }
-  
-end
-module CreuSat_Trail_Impl0_BacktrackSafe_Interface
-  use mach.int.UInt64
-  use prelude.Prelude
-  use Type
-  use mach.int.Int
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner_Interface as LongArePostUnitInner0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model1
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val backtrack_safe [@cfg:stackify] (self : borrowed (Type.creusat_trail_trail)) (level : usize) (f : Type.creusat_formula_formula) (d : borrowed (Type.creusat_decision_decisions)) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 101 4 101 30] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 102 4 102 42] Invariant1.invariant' ( * self) f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 103 4 103 48] Invariant2.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 104 4 104 77] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model (Type.creusat_trail_trail_Trail_trail ( * self))) f (Model1.model (Type.creusat_trail_trail_Trail_assignments ( * self)))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 102 4 102 42] Invariant1.invariant' ( ^ self) f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 103 4 103 48] Invariant2.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 105 4 105 86] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) f (Model1.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) }
-    
-end
-module CreuSat_Trail_Impl0_BacktrackSafe
-  use mach.int.UInt64
-  use prelude.Prelude
-  use Type
-  use mach.int.Int
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model7 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant6 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant3 with function Model0.model = Model7.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant3.invariant',
-  function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model7.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model7.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant7 with function Model0.model = Model6.model,
-  function Model1.model = Model7.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant5 with predicate Invariant0.invariant' = Invariant6.invariant',
-  predicate Invariant1.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model6.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model2 with function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model6.model,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model1.model = Model7.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model2.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model1 with function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model1.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model6.model,
-  function Model1.model = Model7.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant4 with function Model0.model = Model1.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_decision_node,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant2 with function Model0.model = Model4.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model0.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model0.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model3.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model1.model,
-  function Model1.model = Model0.model, predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model2.model = Model3.model, function Model3.model = Model6.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model0.model = Model0.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model3.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model1.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model3.model, function Model1.model = Model0.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_decision_decisions
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_trail_trail
-  clone CreuSat_Trail_Impl0_DecisionLevel_Interface as DecisionLevel0 with function Model0.model = Model3.model
-  clone CreuSat_Trail_Impl0_BacktrackTo_Interface as BacktrackTo0 with function Model0.model = Model3.model,
-  predicate Invariant0.invariant' = Invariant0.invariant', predicate Invariant1.invariant' = Invariant1.invariant',
-  predicate Invariant2.invariant' = Invariant2.invariant', function Model1.model = Model0.model,
-  function Model2.model = Model1.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg backtrack_safe [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 106 4 106 82] (self : borrowed (Type.creusat_trail_trail)) (level : usize) (f : Type.creusat_formula_formula) (d : borrowed (Type.creusat_decision_decisions)) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 101 4 101 30] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 102 4 102 42] Invariant1.invariant' ( * self) f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 103 4 103 48] Invariant2.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 104 4 104 77] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model (Type.creusat_trail_trail_Trail_trail ( * self))) f (Model1.model (Type.creusat_trail_trail_Trail_assignments ( * self)))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 102 4 102 42] Invariant1.invariant' ( ^ self) f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 103 4 103 48] Invariant2.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 105 4 105 86] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) f (Model1.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) }
-    
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_trail_trail);
-  var level_2 : usize;
-  var f_3 : Type.creusat_formula_formula;
-  var d_4 : borrowed (Type.creusat_decision_decisions);
-  var _5 : bool;
-  var _6 : usize;
-  var _7 : usize;
-  var _8 : Type.creusat_trail_trail;
-  var _9 : ();
-  var _10 : borrowed (Type.creusat_trail_trail);
-  var _11 : usize;
-  var _12 : Type.creusat_formula_formula;
-  var _13 : borrowed (Type.creusat_decision_decisions);
-  {
-    self_1 <- self;
-    level_2 <- level;
-    f_3 <- f;
-    d_4 <- d;
-    goto BB0
-  }
-  BB0 {
-    _6 <- level_2;
-    _8 <-  * self_1;
-    _7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 107 19 107 40] DecisionLevel0.decision_level _8);
-    goto BB1
-  }
-  BB1 {
-    _5 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 107 11 107 40] _6 < _7);
-    switch (_5)
-      | False -> goto BB4
-      | _ -> goto BB2
-      end
-  }
-  BB2 {
-    _10 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _10) };
-    _11 <- level_2;
-    _12 <- f_3;
-    _13 <- borrow_mut ( * d_4);
-    d_4 <- { d_4 with current = ( ^ _13) };
-    _9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 108 12 108 42] BacktrackTo0.backtrack_to _10 _11 _12 _13);
-    goto BB3
-  }
-  BB3 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve d_4 };
-    _0 <- ();
-    goto BB5
-  }
-  BB4 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve d_4 };
-    _0 <- ();
-    goto BB5
-  }
-  BB5 {
-    return _0
-  }
-  
-end
-module CreuSat_Trail_Impl0_EnqAssignment_Interface
-  use mach.int.UInt64
-  use Type
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToLit_Interface as ClausePostWithRegardsToLit0
-  clone CreuSat_Logic_LogicLit_Impl1_Sat_Interface as Sat0
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner_Interface as LongArePostUnitInner0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model3 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_Logic_Unset_Interface as Unset1
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model2
-  clone CreuSat_Logic_LogicLit_Impl1_IdxInTrail_Interface as IdxInTrail0
-  clone CreuSat_Logic_LogicLit_Impl1_Unsat_Interface as Unsat0
-  clone CreuSat_Logic_LogicLit_Impl1_Unset_Interface as Unset0
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant_Interface as Invariant3
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant0
-  val enq_assignment [@cfg:stackify] (self : borrowed (Type.creusat_trail_trail)) (step : Type.creusat_trail_step) (_f : Type.creusat_formula_formula) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 211 4 211 43] Invariant0.invariant' ( * self) _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 212 4 212 31] Invariant1.invariant' _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 213 4 213 49] Invariant2.invariant' (Type.creusat_trail_step_Step_lit step) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 214 4 214 36] Invariant3.invariant' step _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 215 4 228 7] match (Type.creusat_trail_step_Step_reason step) with
-      | Type.CreuSat_Trail_Reason_Long cref -> UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) && Unset0.unset (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int cref))) 0) (Type.creusat_trail_trail_Trail_assignments ( * self)) && (forall i : (int) . 1 <= i && i < Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int cref))) -> Unsat0.unsat (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int cref))) i) (Type.creusat_trail_trail_Trail_assignments ( * self))) && Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int cref))) 0 = Type.creusat_trail_step_Step_lit step
-      | Type.CreuSat_Trail_Reason_Unit cref -> UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) && Type.creusat_trail_step_Step_lit step = Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int cref))) 0
-      | _ -> true
-      end}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 229 4 229 51] not IdxInTrail0.idx_in_trail (Type.creusat_trail_step_Step_lit step) (Type.creusat_trail_trail_Trail_trail ( * self))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 230 4 230 67] Unset1.unset (Seq.get (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self))) (IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit step)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 231 4 231 78] LongArePostUnitInner0.long_are_post_unit_inner (Model3.model (Type.creusat_trail_trail_Trail_trail ( * self))) _f (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self)))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 211 4 211 43] Invariant0.invariant' ( ^ self) _f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 232 4 233 94] forall j : (int) . 0 <= j && j < Seq.length (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self))) && j <> IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit step) -> Seq.get (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self))) j = Seq.get (Model2.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) j }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 234 4 234 49] Sat0.sat (Type.creusat_trail_step_Step_lit step) (Type.creusat_trail_trail_Trail_assignments ( ^ self)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 235 4 235 87] LongArePostUnitInner0.long_are_post_unit_inner (Model3.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) _f (Model2.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 236 4 239 7] match (Type.creusat_trail_step_Step_reason step) with
-      | Type.CreuSat_Trail_Reason_Long k -> ClausePostWithRegardsToLit0.clause_post_with_regards_to_lit (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int k)) (Type.creusat_trail_trail_Trail_assignments ( ^ self)) (Type.creusat_trail_step_Step_lit step)
-      | _ -> true
-      end }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 240 4 240 65] Seq.length (Model3.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) = 1 + Seq.length (Model3.model (Type.creusat_trail_trail_Trail_trail ( * self))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 241 4 241 51] Type.creusat_trail_trail_Trail_decisions ( ^ self) = Type.creusat_trail_trail_Trail_decisions ( * self) }
-    
-end
-module CreuSat_Trail_Impl0_EnqAssignment
-  use mach.int.UInt64
-  use Type
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use prelude.Prelude
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreuSat_Logic_Logic_Unset as Unset1
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model2 with function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant5 with function Model0.model = Model2.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model6.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant4 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model5 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model2.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToLit as ClausePostWithRegardsToLit0 with function Model0.model = Model2.model,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Unsat as Unsat0 with function Model0.model = Model2.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_UnsetInner as UnsetInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Unset as Unset0 with function Model0.model = Model2.model,
-  predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant2 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant2.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant6 with function Model0.model = Model1.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant6.invariant',
-  function Model0.model = Model1.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model0.model,
-  predicate Invariant0.invariant' = Invariant6.invariant', function Model1.model = Model1.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model5.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant3 with predicate Invariant0.invariant' = Invariant2.invariant',
-  predicate Invariant1.invariant' = Invariant4.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant3.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model3.model,
-  function Model1.model = Model2.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model3.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model3.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicLit_Impl1_IdxInTrail as IdxInTrail0 with function Model0.model = Model3.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model4.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model2.model,
-  function Model1.model = Model3.model, predicate Invariant0.invariant' = Invariant3.invariant',
-  function Model2.model = Model4.model, function Model3.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant5.invariant', function Model0.model = Model3.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model4.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model2.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant0 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model4.model, function Model1.model = Model3.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreuSat_Logic_LogicTrail_LemmaPushMaintainsLitNotInLess as LemmaPushMaintainsLitNotInLess0 with predicate Invariant0.invariant' = Invariant1.invariant',
-  predicate Invariant1.invariant' = Invariant0.invariant', function Model0.model = Model2.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate Unset0.unset = Unset1.unset,
-  predicate Invariant2.invariant' = Invariant3.invariant', function Model1.model = Model3.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror, axiom .
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_trail_trail
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy2
-  clone CreusotContracts_Std1_Vec_Impl0_ModelTy as ModelTy1 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = usize
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = usize
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model9 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy2.modelTy, function Model0.model = Model2.model
-  clone CreuSat_Lit_Impl1_Index_Interface as Index0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model8 with type t = Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global),
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model3.model
-  clone CreuSat_Assignments_Impl2_SetAssignment_Interface as SetAssignment0 with predicate Invariant0.invariant' = Invariant5.invariant',
-  predicate Invariant1.invariant' = Invariant2.invariant', predicate Invariant2.invariant' = Invariant1.invariant',
-  function Model0.model = Model8.model, predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant,
-  function Model1.model = Model9.model, function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate Unset0.unset = Unset1.unset,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  function Model2.model = Model2.model, predicate Sat0.sat = Sat0.sat,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone Alloc_Vec_Impl1_Push_Interface as Push0 with type t = Type.creusat_trail_step, type a = Type.alloc_alloc_global,
-  function Model0.model = Model3.model
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = usize, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model4.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  clone CreuSat_Trail_Impl0_DecisionLevel_Interface as DecisionLevel0 with function Model0.model = Model4.model
-  let rec cfg enq_assignment [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 242 4 242 62] (self : borrowed (Type.creusat_trail_trail)) (step : Type.creusat_trail_step) (_f : Type.creusat_formula_formula) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 211 4 211 43] Invariant0.invariant' ( * self) _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 212 4 212 31] Invariant1.invariant' _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 213 4 213 49] Invariant2.invariant' (Type.creusat_trail_step_Step_lit step) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 214 4 214 36] Invariant3.invariant' step _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 215 4 228 7] match (Type.creusat_trail_step_Step_reason step) with
-      | Type.CreuSat_Trail_Reason_Long cref -> UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) && Unset0.unset (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int cref))) 0) (Type.creusat_trail_trail_Trail_assignments ( * self)) && (forall i : (int) . 1 <= i && i < Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int cref))) -> Unsat0.unsat (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int cref))) i) (Type.creusat_trail_trail_Trail_assignments ( * self))) && Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int cref))) 0 = Type.creusat_trail_step_Step_lit step
-      | Type.CreuSat_Trail_Reason_Unit cref -> UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) && Type.creusat_trail_step_Step_lit step = Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int cref))) 0
-      | _ -> true
-      end}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 229 4 229 51] not IdxInTrail0.idx_in_trail (Type.creusat_trail_step_Step_lit step) (Type.creusat_trail_trail_Trail_trail ( * self))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 230 4 230 67] Unset1.unset (Seq.get (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self))) (IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit step)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 231 4 231 78] LongArePostUnitInner0.long_are_post_unit_inner (Model3.model (Type.creusat_trail_trail_Trail_trail ( * self))) _f (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self)))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 211 4 211 43] Invariant0.invariant' ( ^ self) _f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 232 4 233 94] forall j : (int) . 0 <= j && j < Seq.length (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self))) && j <> IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit step) -> Seq.get (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self))) j = Seq.get (Model2.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) j }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 234 4 234 49] Sat0.sat (Type.creusat_trail_step_Step_lit step) (Type.creusat_trail_trail_Trail_assignments ( ^ self)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 235 4 235 87] LongArePostUnitInner0.long_are_post_unit_inner (Model3.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) _f (Model2.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 236 4 239 7] match (Type.creusat_trail_step_Step_reason step) with
-      | Type.CreuSat_Trail_Reason_Long k -> ClausePostWithRegardsToLit0.clause_post_with_regards_to_lit (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int k)) (Type.creusat_trail_trail_Trail_assignments ( ^ self)) (Type.creusat_trail_step_Step_lit step)
-      | _ -> true
-      end }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 240 4 240 65] Seq.length (Model3.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) = 1 + Seq.length (Model3.model (Type.creusat_trail_trail_Trail_trail ( * self))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 241 4 241 51] Type.creusat_trail_trail_Trail_decisions ( ^ self) = Type.creusat_trail_trail_Trail_decisions ( * self) }
-    
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_trail_trail);
-  var step_2 : Type.creusat_trail_step;
-  var _f_3 : Type.creusat_formula_formula;
-  var _4 : usize;
-  var _5 : Type.creusat_trail_trail;
-  var _6 : borrowed usize;
-  var _7 : borrowed (Type.alloc_vec_vec usize (Type.alloc_alloc_global));
-  var _8 : usize;
-  var _9 : Type.creusat_lit_lit;
-  var trail_10 : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global);
-  var _11 : ();
-  var _12 : borrowed (Type.creusat_assignments_assignments);
-  var _13 : Type.creusat_lit_lit;
-  var _14 : Type.creusat_formula_formula;
-  var _15 : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global);
-  var _16 : ();
-  var _17 : ();
-  var _18 : ();
-  var _19 : borrowed (Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global));
-  var _20 : Type.creusat_trail_step;
-  var _21 : ();
-  var _22 : ();
-  var _23 : ();
-  var _24 : ();
-  {
-    self_1 <- self;
-    step_2 <- step;
-    _f_3 <- _f;
-    goto BB0
-  }
-  BB0 {
-    _5 <-  * self_1;
-    _4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 243 46 243 67] DecisionLevel0.decision_level _5);
-    goto BB1
-  }
-  BB1 {
-    _7 <- borrow_mut (Type.creusat_trail_trail_Trail_lit_to_level ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Trail_Trail a b c d e =  * self_1 in Type.CreuSat_Trail_Trail a ( ^ _7) c d e) };
-    _9 <- Type.creusat_trail_step_Step_lit step_2;
-    _8 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 243 26 243 42] Index0.index _9);
-    goto BB2
-  }
-  BB2 {
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 243 8 243 43] IndexMut0.index_mut _7 _8);
-    goto BB3
-  }
-  BB3 {
-    _6 <- { _6 with current = _4 };
-    assume { Resolve0.resolve _6 };
-    trail_10 <- Type.creusat_trail_trail_Trail_trail ( * self_1);
-    _12 <- borrow_mut (Type.creusat_trail_trail_Trail_assignments ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Trail_Trail a b c d e =  * self_1 in Type.CreuSat_Trail_Trail ( ^ _12) b c d e) };
-    _13 <- Type.creusat_trail_step_Step_lit step_2;
-    _14 <- _f_3;
-    _15 <- trail_10;
-    _11 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 246 8 246 60] SetAssignment0.set_assignment _12 _13 _14 _15);
-    goto BB4
-  }
-  BB4 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 248 8 248 42] Invariant3.invariant' step_2 _f_3 };
-    _16 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 249 8 249 83] let _ = LemmaPushMaintainsLitNotInLess0.lemma_push_maintains_lit_not_in_less ( * self_1) _f_3 step_2 in true };
-    _17 <- ();
-    _19 <- borrow_mut (Type.creusat_trail_trail_Trail_trail ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Trail_Trail a b c d e =  * self_1 in Type.CreuSat_Trail_Trail a b ( ^ _19) d e) };
-    _20 <- step_2;
-    _18 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 250 8 250 29] Push0.push _19 _20);
-    goto BB5
-  }
-  BB5 {
-    assume { Resolve1.resolve self_1 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 251 8 256 9] match (Type.creusat_trail_step_Step_reason step_2) with
-      | Type.CreuSat_Trail_Reason_Long k -> ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f_3)) (UInt64.to_int k)) (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self_1))) (IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit step_2))
-      | _ -> true
-      end };
-    _21 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 258 8 258 43] LitIsUnique0.lit_is_unique ( * self_1) };
-    _22 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 259 8 259 48] LitNotInLess0.lit_not_in_less ( * self_1) _f_3 };
-    _23 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 261 8 261 84] LongArePostUnitInner0.long_are_post_unit_inner (Model3.model (Type.creusat_trail_trail_Trail_trail ( * self_1))) _f_3 (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self_1))) };
-    _24 <- ();
-    _0 <- ();
-    return _0
-  }
-  
-end
-module CreuSat_Solver_Impl0_HandleLongClause_Interface
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use seq.Seq
-  use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner_Interface as EquisatExtensionInner0
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model0 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant4
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant3
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val handle_long_clause [@cfg:stackify] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (t : borrowed (Type.creusat_trail_trail)) (w : borrowed (Type.creusat_watches_watches)) (d : borrowed (Type.creusat_decision_decisions)) (clause : Type.creusat_clause_clause) (s_idx : usize) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 106 4 106 37] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 107 4 107 42] Invariant1.invariant' ( * t) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 108 4 108 42] Invariant2.invariant' ( * w) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 109 4 109 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 110 4 110 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 111 4 111 46] Invariant4.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 112 4 112 52] EquisatExtensionInner0.equisat_extension_inner clause (Model0.model f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 113 4 113 36] Seq.length (Model1.model clause) > 1}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 114 4 114 41] UInt64.to_int s_idx < Seq.length (Model1.model clause)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 106 4 106 37] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 107 4 107 42] Invariant1.invariant' ( ^ t) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 108 4 108 42] Invariant2.invariant' ( ^ w) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 109 4 109 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 115 4 115 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 116 4 116 29] Equisat0.equisat ( * f) ( ^ f) }
-    
-end
-module CreuSat_Solver_Impl0_HandleLongClause
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use seq.Seq
-  use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model11 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model9 with function Model0.model = Model11.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant5 with function Model0.model = Model9.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model9.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant7 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model10 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model2 with function Model0.model = Model8.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model1.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner0 with function Model0.model = Model8.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss1 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss1.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant8 with function Model0.model = Model8.model,
-  function Model1.model = Model1.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant6 with predicate Invariant0.invariant' = Invariant7.invariant',
-  predicate Invariant1.invariant' = Invariant8.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner1.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model8.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model8.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model8.model,
-  function Model1.model = Model1.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model10.model,
-  function Model1.model = Model8.model, function Model2.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant4 with function Model0.model = Model1.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant4.invariant',
-  function Model0.model = Model1.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model8.model,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model1.model = Model1.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model2.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model0 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model2.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_decision_node,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant3 with function Model0.model = Model6.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant2 with function Model0.model = Model5.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model4.model,
-  function Model1.model = Model9.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model4.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model4.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model3.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model9.model,
-  function Model1.model = Model4.model, predicate Invariant0.invariant' = Invariant6.invariant',
-  function Model2.model = Model3.model, function Model3.model = Model8.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant5.invariant', function Model0.model = Model4.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model3.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model9.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model3.model, function Model1.model = Model4.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve6 with type t = Type.creusat_solver_solver
-  clone CreuSat_Solver_Impl0_IncreaseNumConflicts_Interface as IncreaseNumConflicts0
-  clone CreuSat_Solver_Impl0_IncreaseNumLemmas_Interface as IncreaseNumLemmas0
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve5 with type t = Type.creusat_trail_trail
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve4 with type t = Type.creusat_formula_formula
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve3 with type t = Type.creusat_decision_decisions
-  clone CreuSat_Util_UpdateSlow_Interface as UpdateSlow0
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = usize
-  clone CreuSat_Util_UpdateFast_Interface as UpdateFast0
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_watches_watches
-  clone CreusotContracts_Logic_Resolve_Impl2_Resolve as Resolve7 with type t = usize
-  clone CreusotContracts_Logic_Resolve_Impl0_Resolve as Resolve0 with type t1 = usize, type t2 = usize,
-  predicate Resolve0.resolve = Resolve7.resolve, predicate Resolve1.resolve = Resolve7.resolve
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy1
-  clone CreuSat_Logic_LogicLit_Impl1_UnsetInner as UnsetInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Unset as Unset1 with function Model0.model = Model9.model,
-  predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Unsat as Unsat0 with function Model0.model = Model9.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_VarsInRange as VarsInRange0 with function Model0.model = Model1.model,
-  predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model14 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Clause_Impl0_Index_Interface as Index1 with function Model0.model = Model14.model
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model12 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Logic_LogicClause_Impl2_UnitInner as UnitInner0 with predicate VarsInRange0.vars_in_range = VarsInRange0.vars_in_range,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner, function Model0.model = Model1.model,
-  predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Unit as Unit0 with function Model0.model = Model9.model,
-  predicate UnitInner0.unit_inner = UnitInner0.unit_inner
-  clone CreuSat_Clause_Impl3_UnitAndUnset_Interface as UnitAndUnset0 with function Model0.model = Model14.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal,
-  predicate Invariant0.invariant' = Invariant5.invariant', predicate Unit0.unit = Unit0.unit,
-  predicate Unset0.unset = Unset1.unset
-  clone CreuSat_Logic_LogicClause_Impl2_EquisatExtension as EquisatExtension0 with function Model0.model = Model2.model,
-  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToLit as ClausePostWithRegardsToLit0 with function Model0.model = Model9.model,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Clause_Impl3_SwapLitsInClause_Interface as SwapLitsInClause0 with function Model0.model = Model12.model,
-  predicate Invariant0.invariant' = Invariant4.invariant',
-  predicate EquisatExtension0.equisat_extension = EquisatExtension0.equisat_extension,
-  function Model1.model = Model1.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model13 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model2.model
-  clone CreuSat_Formula_Impl0_Index_Interface as Index0 with function Model0.model = Model13.model
-  clone CreuSat_Logic_LogicLit_Impl1_IdxInTrail as IdxInTrail0 with function Model0.model = Model4.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Clause_Impl3_CalcLbd_Interface as CalcLbd0 with function Model0.model = Model3.model,
-  predicate Invariant0.invariant' = Invariant4.invariant'
-  clone CreuSat_Trail_Impl0_EnqAssignment_Interface as EnqAssignment0 with predicate Invariant0.invariant' = Invariant1.invariant',
-  predicate Invariant1.invariant' = Invariant0.invariant', predicate Invariant2.invariant' = Invariant7.invariant',
-  predicate Invariant3.invariant' = Invariant6.invariant', function Model0.model = Model8.model,
-  function Model1.model = Model1.model, predicate Unset0.unset = Unset1.unset, predicate Unsat0.unsat = Unsat0.unsat,
-  predicate IdxInTrail0.idx_in_trail = IdxInTrail0.idx_in_trail, function Model2.model = Model9.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate Unset1.unset = Unset0.unset,
-  function Model3.model = Model4.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat,
-  predicate ClausePostWithRegardsToLit0.clause_post_with_regards_to_lit = ClausePostWithRegardsToLit0.clause_post_with_regards_to_lit,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_Trail_Impl0_BacktrackSafe_Interface as BacktrackSafe0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant3.invariant',
-  function Model0.model = Model4.model, function Model1.model = Model9.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_Formula_Impl2_AddClause_Interface as AddClause0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant2.invariant',
-  function Model0.model = Model1.model, predicate Invariant3.invariant' = Invariant4.invariant',
-  function Model1.model = Model0.model,
-  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner,
-  predicate Equisat0.equisat = Equisat0.equisat, function Model2.model = Model8.model,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_Solver_GetAssertingLevel_Interface as GetAssertingLevel0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', function Model0.model = Model13.model,
-  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner,
-  predicate Invariant2.invariant' = Invariant4.invariant', function Model1.model = Model14.model,
-  predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg handle_long_clause [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 117 4 119 5] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (t : borrowed (Type.creusat_trail_trail)) (w : borrowed (Type.creusat_watches_watches)) (d : borrowed (Type.creusat_decision_decisions)) (clause : Type.creusat_clause_clause) (s_idx : usize) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 106 4 106 37] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 107 4 107 42] Invariant1.invariant' ( * t) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 108 4 108 42] Invariant2.invariant' ( * w) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 109 4 109 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 110 4 110 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 111 4 111 46] Invariant4.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 112 4 112 52] EquisatExtensionInner0.equisat_extension_inner clause (Model0.model f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 113 4 113 36] Seq.length (Model1.model clause) > 1}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 114 4 114 41] UInt64.to_int s_idx < Seq.length (Model1.model clause)}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 106 4 106 37] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 107 4 107 42] Invariant1.invariant' ( ^ t) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 108 4 108 42] Invariant2.invariant' ( ^ w) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 109 4 109 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 115 4 115 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 116 4 116 29] Equisat0.equisat ( * f) ( ^ f) }
-    
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_solver_solver);
-  var f_2 : borrowed (Type.creusat_formula_formula);
-  var t_3 : borrowed (Type.creusat_trail_trail);
-  var w_4 : borrowed (Type.creusat_watches_watches);
-  var d_5 : borrowed (Type.creusat_decision_decisions);
-  var clause_6 : Type.creusat_clause_clause;
-  var s_idx_7 : usize;
-  var _8 : ();
-  var _9 : borrowed (Type.creusat_clause_clause);
-  var _10 : Type.creusat_formula_formula;
-  var _11 : usize;
-  var idx_12 : usize;
-  var level_13 : usize;
-  var _14 : (usize, usize);
-  var _15 : Type.creusat_clause_clause;
-  var _16 : Type.creusat_clause_clause;
-  var _17 : Type.creusat_trail_trail;
-  var _18 : Type.creusat_formula_formula;
-  var _19 : ();
-  var _20 : borrowed (Type.creusat_clause_clause);
-  var _21 : Type.creusat_formula_formula;
-  var _22 : usize;
-  var lbd_23 : usize;
-  var _24 : Type.creusat_clause_clause;
-  var _25 : Type.creusat_formula_formula;
-  var _26 : borrowed (Type.creusat_solver_solver);
-  var _27 : Type.creusat_trail_trail;
-  var cref_28 : usize;
-  var _29 : borrowed (Type.creusat_formula_formula);
-  var _30 : Type.creusat_clause_clause;
-  var _31 : borrowed (Type.creusat_watches_watches);
-  var _32 : Type.creusat_trail_trail;
-  var _33 : ();
-  var _34 : borrowed usize;
-  var _35 : borrowed usize;
-  var _36 : usize;
-  var _37 : ();
-  var _38 : borrowed usize;
-  var _39 : borrowed usize;
-  var _40 : usize;
-  var _41 : ();
-  var _42 : borrowed (Type.creusat_trail_trail);
-  var _43 : usize;
-  var _44 : Type.creusat_formula_formula;
-  var _45 : borrowed (Type.creusat_decision_decisions);
-  var lit_46 : Type.creusat_lit_lit;
-  var _47 : Type.creusat_lit_lit;
-  var _48 : Type.creusat_clause_clause;
-  var _49 : Type.creusat_clause_clause;
-  var _50 : Type.creusat_formula_formula;
-  var _51 : usize;
-  var step_52 : Type.creusat_trail_step;
-  var _53 : Type.creusat_lit_lit;
-  var _54 : usize;
-  var _55 : Type.creusat_trail_reason;
-  var _56 : usize;
-  var _57 : ();
-  var _58 : bool;
-  var _59 : Type.creusat_clause_clause;
-  var _60 : Type.creusat_clause_clause;
-  var _61 : Type.creusat_formula_formula;
-  var _62 : usize;
-  var _63 : Type.creusat_assignments_assignments;
-  var _64 : Type.creusat_assignments_assignments;
-  var _65 : Type.creusat_formula_formula;
-  var _66 : ();
-  var _67 : borrowed (Type.creusat_trail_trail);
-  var _68 : Type.creusat_trail_step;
-  var _69 : Type.creusat_formula_formula;
-  var _70 : ();
-  var _71 : borrowed (Type.creusat_solver_solver);
-  var _72 : ();
-  var _73 : borrowed (Type.creusat_solver_solver);
-  {
-    self_1 <- self;
-    f_2 <- f;
-    t_3 <- t;
-    w_4 <- w;
-    d_5 <- d;
-    clause_6 <- clause;
-    s_idx_7 <- s_idx;
-    goto BB0
-  }
-  BB0 {
-    goto BB1
-  }
-  BB1 {
-    goto BB2
-  }
-  BB2 {
-    goto BB3
-  }
-  BB3 {
-    goto BB4
-  }
-  BB4 {
-    _9 <- borrow_mut clause_6;
-    clause_6 <-  ^ _9;
-    _10 <-  * f_2;
-    _11 <- s_idx_7;
-    _8 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 120 8 120 47] SwapLitsInClause0.swap_lits_in_clause _9 _10 _11 (0 : usize));
-    goto BB5
-  }
-  BB5 {
-    _16 <- clause_6;
-    _15 <- _16;
-    _17 <-  * t_3;
-    _18 <-  * f_2;
-    _14 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 121 27 121 61] GetAssertingLevel0.get_asserting_level _15 _17 _18);
-    goto BB6
-  }
-  BB6 {
-    idx_12 <- (let (a, _) = _14 in a);
-    level_13 <- (let (_, a) = _14 in a);
-    assume { Resolve0.resolve _14 };
-    _20 <- borrow_mut clause_6;
-    clause_6 <-  ^ _20;
-    _21 <-  * f_2;
-    _22 <- idx_12;
-    _19 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 122 8 122 45] SwapLitsInClause0.swap_lits_in_clause _20 _21 _22 (1 : usize));
-    goto BB7
-  }
-  BB7 {
-    _24 <- clause_6;
-    _25 <-  * f_2;
-    _26 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _26) };
-    _27 <-  * t_3;
-    lbd_23 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 125 18 125 45] CalcLbd0.calc_lbd _24 _25 _26 _27);
-    goto BB8
-  }
-  BB8 {
-    _29 <- borrow_mut ( * f_2);
-    f_2 <- { f_2 with current = ( ^ _29) };
-    _30 <- clause_6;
-    _31 <- borrow_mut ( * w_4);
-    w_4 <- { w_4 with current = ( ^ _31) };
-    _32 <-  * t_3;
-    cref_28 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 126 19 126 45] AddClause0.add_clause _29 _30 _31 _32);
-    goto BB9
-  }
-  BB9 {
-    assume { Resolve1.resolve w_4 };
-    _35 <- borrow_mut (Type.creusat_solver_solver_Solver_fast ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Solver_Solver a b c d e f g h =  * self_1 in Type.CreuSat_Solver_Solver a b c d e ( ^ _35) g h) };
-    _34 <- borrow_mut ( * _35);
-    _35 <- { _35 with current = ( ^ _34) };
-    _36 <- lbd_23;
-    _33 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 127 8 127 40] UpdateFast0.update_fast _34 _36);
-    goto BB10
-  }
-  BB10 {
-    assume { Resolve2.resolve _35 };
-    _39 <- borrow_mut (Type.creusat_solver_solver_Solver_slow ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Solver_Solver a b c d e f g h =  * self_1 in Type.CreuSat_Solver_Solver a b c d e f ( ^ _39) h) };
-    _38 <- borrow_mut ( * _39);
-    _39 <- { _39 with current = ( ^ _38) };
-    _40 <- lbd_23;
-    _37 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 128 8 128 40] UpdateSlow0.update_slow _38 _40);
-    goto BB11
-  }
-  BB11 {
-    assume { Resolve2.resolve _39 };
-    _42 <- borrow_mut ( * t_3);
-    t_3 <- { t_3 with current = ( ^ _42) };
-    _43 <- level_13;
-    _44 <-  * f_2;
-    _45 <- borrow_mut ( * d_5);
-    d_5 <- { d_5 with current = ( ^ _45) };
-    _41 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 131 8 131 37] BacktrackSafe0.backtrack_safe _42 _43 _44 _45);
-    goto BB12
-  }
-  BB12 {
-    assume { Resolve3.resolve d_5 };
-    _50 <-  * f_2;
-    _51 <- cref_28;
-    _49 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 133 18 133 25] Index0.index _50 _51);
-    goto BB13
-  }
-  BB13 {
-    _48 <- _49;
-    _47 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 133 18 133 28] Index1.index _48 (0 : usize));
-    goto BB14
-  }
-  BB14 {
-    lit_46 <- _47;
-    _53 <- lit_46;
-    _54 <- level_13;
-    _56 <- cref_28;
-    _55 <- Type.CreuSat_Trail_Reason_Long _56;
-    step_52 <- Type.CreuSat_Trail_Step _53 _54 _55;
-    _61 <-  * f_2;
-    _62 <- cref_28;
-    _60 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 140 11 140 18] Index0.index _61 _62);
-    goto BB15
-  }
-  BB15 {
-    _59 <- _60;
-    _64 <- Type.creusat_trail_trail_Trail_assignments ( * t_3);
-    _63 <- _64;
-    _65 <-  * f_2;
-    _58 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 140 11 140 52] UnitAndUnset0.unit_and_unset _59 _63 _65);
-    goto BB16
-  }
-  BB16 {
-    switch (_58)
-      | False -> goto BB19
-      | _ -> goto BB17
-      end
-  }
-  BB17 {
-    _67 <- borrow_mut ( * t_3);
-    t_3 <- { t_3 with current = ( ^ _67) };
-    _68 <- step_52;
-    _69 <-  * f_2;
-    assume { Resolve4.resolve f_2 };
-    _66 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 141 12 141 37] EnqAssignment0.enq_assignment _67 _68 _69);
-    goto BB18
-  }
-  BB18 {
-    assume { Resolve5.resolve t_3 };
-    _57 <- ();
-    goto BB20
-  }
-  BB19 {
-    assume { Resolve4.resolve f_2 };
-    assume { Resolve5.resolve t_3 };
-    _57 <- ();
-    goto BB20
-  }
-  BB20 {
-    _71 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _71) };
-    _70 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 144 8 144 34] IncreaseNumLemmas0.increase_num_lemmas _71);
-    goto BB21
-  }
-  BB21 {
-    _73 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _73) };
-    _72 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 145 8 145 37] IncreaseNumConflicts0.increase_num_conflicts _73);
-    goto BB22
-  }
-  BB22 {
-    assume { Resolve6.resolve self_1 };
-    _0 <- ();
-    goto BB23
-  }
-  BB23 {
-    return _0
-  }
-  
-end
-module CreuSat_Trail_Impl0_LearnUnit_Interface
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use Type
-  use prelude.Prelude
-  clone CreuSat_Logic_LogicLit_Impl1_Sat_Interface as Sat0
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner_Interface as LongArePostUnitInner0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model3
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model2 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant3
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant2 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant0
-  val learn_unit [@cfg:stackify] (self : borrowed (Type.creusat_trail_trail)) (cref : usize) (f : Type.creusat_formula_formula) (d : borrowed (Type.creusat_decision_decisions)) : Type.core_result_result () ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 302 4 302 42] Invariant0.invariant' ( * self) f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 303 4 303 48] Invariant1.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 304 4 304 30] Invariant2.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 305 4 305 43] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 306 4 306 50] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) = 1}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 307 4 307 59] Invariant3.invariant' (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref)) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 313 4 313 77] LongArePostUnitInner0.long_are_post_unit_inner (Model2.model (Type.creusat_trail_trail_Trail_trail ( * self))) f (Model3.model (Type.creusat_trail_trail_Trail_assignments ( * self)))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 302 4 302 42] Invariant0.invariant' ( ^ self) f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 303 4 303 48] Invariant1.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 310 4 312 70] match (result) with
-      | Type.Core_Result_Result_Err _ -> true
-      | Type.Core_Result_Result_Ok _ -> Sat0.sat (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) 0) (Type.creusat_trail_trail_Trail_assignments ( ^ self))
-      end }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 314 4 314 86] LongArePostUnitInner0.long_are_post_unit_inner (Model2.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) f (Model3.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) }
-    
-end
-module CreuSat_Trail_Impl0_LearnUnit
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use Type
-  use prelude.Prelude
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant6 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model3 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant4 with function Model0.model = Model3.model
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model3.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant3 with function Model0.model = Model1.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant3.invariant',
-  function Model0.model = Model1.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant7 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant5 with predicate Invariant0.invariant' = Invariant6.invariant',
-  predicate Invariant1.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model6 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model0.model,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model1.model = Model1.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant2 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model6.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_decision_node,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant1 with function Model0.model = Model5.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model2.model,
-  function Model1.model = Model3.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model2.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model2.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model4.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model3.model,
-  function Model1.model = Model2.model, predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model2.model = Model4.model, function Model3.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model0.model = Model2.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model4.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model3.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant0 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model4.model, function Model1.model = Model2.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreuSat_Logic_Logic_Unset as Unset1
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_trail_trail
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy2
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy1
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_decision_decisions
-  clone CreuSat_Logic_LogicLit_Impl1_UnsetInner as UnsetInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Unsat as Unsat0 with function Model0.model = Model3.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Unset as Unset0 with function Model0.model = Model3.model,
-  predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model11 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy2.modelTy, function Model0.model = Model3.model
-  clone CreuSat_Lit_Impl1_LitSet_Interface as LitSet0 with function Model0.model = Model11.model,
-  predicate Invariant0.invariant' = Invariant6.invariant', predicate Unset0.unset = Unset0.unset
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model10 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Clause_Impl0_Index_Interface as Index1 with function Model0.model = Model10.model
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToLit as ClausePostWithRegardsToLit0 with function Model0.model = Model3.model,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model9 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model6.model
-  clone CreuSat_Formula_Impl0_Index_Interface as Index0 with function Model0.model = Model9.model
-  clone CreuSat_Logic_LogicLit_Impl1_IdxInTrail as IdxInTrail0 with function Model0.model = Model2.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Trail_Impl0_DecisionLevel_Interface as DecisionLevel0 with function Model0.model = Model4.model
-  clone CreuSat_Trail_Impl0_EnqAssignment_Interface as EnqAssignment0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant2.invariant', predicate Invariant2.invariant' = Invariant6.invariant',
-  predicate Invariant3.invariant' = Invariant5.invariant', function Model0.model = Model0.model,
-  function Model1.model = Model1.model, predicate Unset0.unset = Unset0.unset, predicate Unsat0.unsat = Unsat0.unsat,
-  predicate IdxInTrail0.idx_in_trail = IdxInTrail0.idx_in_trail, function Model2.model = Model3.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate Unset1.unset = Unset1.unset,
-  function Model3.model = Model2.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat,
-  predicate ClausePostWithRegardsToLit0.clause_post_with_regards_to_lit = ClausePostWithRegardsToLit0.clause_post_with_regards_to_lit,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_Trail_Impl0_BacktrackTo_Interface as BacktrackTo0 with function Model0.model = Model4.model,
-  predicate Invariant0.invariant' = Invariant2.invariant', predicate Invariant1.invariant' = Invariant0.invariant',
-  predicate Invariant2.invariant' = Invariant1.invariant', function Model1.model = Model2.model,
-  function Model2.model = Model3.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg learn_unit [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 315 4 315 95] (self : borrowed (Type.creusat_trail_trail)) (cref : usize) (f : Type.creusat_formula_formula) (d : borrowed (Type.creusat_decision_decisions)) : Type.core_result_result () ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 302 4 302 42] Invariant0.invariant' ( * self) f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 303 4 303 48] Invariant1.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 304 4 304 30] Invariant2.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 305 4 305 43] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 306 4 306 50] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) = 1}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 307 4 307 59] Invariant3.invariant' (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref)) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 313 4 313 77] LongArePostUnitInner0.long_are_post_unit_inner (Model2.model (Type.creusat_trail_trail_Trail_trail ( * self))) f (Model3.model (Type.creusat_trail_trail_Trail_assignments ( * self)))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 302 4 302 42] Invariant0.invariant' ( ^ self) f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 303 4 303 48] Invariant1.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 310 4 312 70] match (result) with
-      | Type.Core_Result_Result_Err _ -> true
-      | Type.Core_Result_Result_Ok _ -> Sat0.sat (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) 0) (Type.creusat_trail_trail_Trail_assignments ( ^ self))
-      end }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 314 4 314 86] LongArePostUnitInner0.long_are_post_unit_inner (Model2.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) f (Model3.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) }
-    
-   =
-  var _0 : Type.core_result_result () ();
-  var self_1 : borrowed (Type.creusat_trail_trail);
-  var cref_2 : usize;
-  var f_3 : Type.creusat_formula_formula;
-  var d_4 : borrowed (Type.creusat_decision_decisions);
-  var _5 : ();
-  var _6 : bool;
-  var _7 : usize;
-  var _8 : Type.creusat_trail_trail;
-  var _9 : ();
-  var _10 : borrowed (Type.creusat_trail_trail);
-  var _11 : Type.creusat_formula_formula;
-  var _12 : borrowed (Type.creusat_decision_decisions);
-  var _13 : ();
-  var _14 : bool;
-  var _15 : Type.creusat_lit_lit;
-  var _16 : Type.creusat_lit_lit;
-  var _17 : Type.creusat_clause_clause;
-  var _18 : Type.creusat_clause_clause;
-  var _19 : Type.creusat_formula_formula;
-  var _20 : usize;
-  var _21 : Type.creusat_assignments_assignments;
-  var _22 : Type.creusat_assignments_assignments;
-  var _23 : ();
-  var _24 : ();
-  var _25 : ();
-  var _26 : borrowed (Type.creusat_trail_trail);
-  var _27 : Type.creusat_trail_step;
-  var _28 : Type.creusat_lit_lit;
-  var _29 : Type.creusat_lit_lit;
-  var _30 : Type.creusat_clause_clause;
-  var _31 : Type.creusat_clause_clause;
-  var _32 : Type.creusat_formula_formula;
-  var _33 : usize;
-  var _34 : Type.creusat_trail_reason;
-  var _35 : usize;
-  var _36 : Type.creusat_formula_formula;
-  var _37 : ();
-  {
-    self_1 <- self;
-    cref_2 <- cref;
-    f_3 <- f;
-    d_4 <- d;
-    goto BB0
-  }
-  BB0 {
-    _8 <-  * self_1;
-    _7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 316 11 316 32] DecisionLevel0.decision_level _8);
-    goto BB1
-  }
-  BB1 {
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 316 11 316 36] _7 > (0 : usize));
-    switch (_6)
-      | False -> goto BB4
-      | _ -> goto BB2
-      end
-  }
-  BB2 {
-    _10 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _10) };
-    _11 <- f_3;
-    _12 <- borrow_mut ( * d_4);
-    d_4 <- { d_4 with current = ( ^ _12) };
-    _9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 317 12 317 38] BacktrackTo0.backtrack_to _10 (0 : usize) _11 _12);
-    goto BB3
-  }
-  BB3 {
-    assume { Resolve0.resolve d_4 };
-    _5 <- ();
-    goto BB5
-  }
-  BB4 {
-    assume { Resolve0.resolve d_4 };
-    _5 <- ();
-    goto BB5
-  }
-  BB5 {
-    _19 <- f_3;
-    _20 <- cref_2;
-    _18 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 321 11 321 18] Index0.index _19 _20);
-    goto BB6
-  }
-  BB6 {
-    _17 <- _18;
-    _16 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 321 11 321 21] Index1.index _17 (0 : usize));
-    goto BB7
-  }
-  BB7 {
-    _15 <- _16;
-    _22 <- Type.creusat_trail_trail_Trail_assignments ( * self_1);
-    _21 <- _22;
-    _14 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 321 11 321 48] LitSet0.lit_set _15 _21);
-    goto BB8
-  }
-  BB8 {
-    switch (_14)
-      | False -> goto BB10
-      | _ -> goto BB9
-      end
-  }
-  BB9 {
-    assume { Resolve1.resolve self_1 };
-    _24 <- ();
-    _0 <- Type.Core_Result_Result_Err _24;
-    goto BB14
-  }
-  BB10 {
-    _13 <- ();
-    _26 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _26) };
-    _32 <- f_3;
-    _33 <- cref_2;
-    _31 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 324 40 324 47] Index0.index _32 _33);
-    goto BB11
-  }
-  BB11 {
-    _30 <- _31;
-    _29 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 324 40 324 50] Index1.index _30 (0 : usize));
-    goto BB12
-  }
-  BB12 {
-    _28 <- _29;
-    _35 <- cref_2;
-    _34 <- Type.CreuSat_Trail_Reason_Unit _35;
-    _27 <- Type.CreuSat_Trail_Step _28 (0 : usize) _34;
-    _36 <- f_3;
-    _25 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 324 8 324 103] EnqAssignment0.enq_assignment _26 _27 _36);
-    goto BB13
-  }
-  BB13 {
-    assume { Resolve1.resolve self_1 };
-    _37 <- ();
-    _0 <- Type.Core_Result_Result_Ok _37;
-    goto BB14
-  }
-  BB14 {
-    return _0
-  }
-  
-end
-module CreuSat_Solver_Impl0_HandleConflict_Interface
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use seq.Seq
-  use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable_Interface as NotSatisfiable0
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
-  clone CreuSat_Logic_LogicClause_Impl2_Unsat_Interface as Unsat0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant3
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val handle_conflict [@cfg:stackify] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (t : borrowed (Type.creusat_trail_trail)) (cref : usize) (w : borrowed (Type.creusat_watches_watches)) (d : borrowed (Type.creusat_decision_decisions)) : Type.core_option_option bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 149 4 149 37] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 150 4 150 42] Invariant1.invariant' ( * t) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 151 4 151 42] Invariant2.invariant' ( * w) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 152 4 152 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 153 4 153 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 154 4 154 43] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 155 4 155 57] Unsat0.unsat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref)) (Type.creusat_trail_trail_Trail_assignments ( * t))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 149 4 149 37] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 150 4 150 42] Invariant1.invariant' ( ^ t) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 151 4 151 42] Invariant2.invariant' ( ^ w) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 152 4 152 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 156 4 156 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 157 4 157 29] Equisat0.equisat ( * f) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 158 4 162 7] match (result) with
-      | Type.Core_Option_Option_Some (False) -> NotSatisfiable0.not_satisfiable ( ^ f)
-      | Type.Core_Option_Option_Some (True) -> true
-      | Type.Core_Option_Option_None -> true
-      end }
-    
-end
-module CreuSat_Solver_Impl0_HandleConflict
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use seq.Seq
-  use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model10 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model7 with function Model0.model = Model10.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model6 with function Model0.model = Model9.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant5 with function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model7.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss1 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss1.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model6.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant7 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant4 with function Model0.model = Model7.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant4.invariant',
-  function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model7.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner1.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_UnsatInner as UnsatInner0 with function Model0.model = Model7.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Unsat as Unsat0 with function Model0.model = Model6.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model7.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant8 with function Model0.model = Model0.model,
-  function Model1.model = Model7.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant6 with predicate Invariant0.invariant' = Invariant7.invariant',
-  predicate Invariant1.invariant' = Invariant8.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner0 with function Model0.model = Model0.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model0.model,
-  function Model1.model = Model7.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model8.model,
-  function Model1.model = Model0.model, function Model2.model = Model7.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model1 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicClause_Impl2_EquisatExtension as EquisatExtension0 with function Model0.model = Model1.model,
-  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable as NotSatisfiable0 with function Model0.model = Model7.model,
-  predicate EquisatExtension0.equisat_extension = EquisatExtension0.equisat_extension
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model0.model,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model1.model = Model7.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model1.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_decision_node,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant3 with function Model0.model = Model5.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant2 with function Model0.model = Model4.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model3.model,
-  function Model1.model = Model6.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model3.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model3.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model2.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model6.model,
-  function Model1.model = Model3.model, predicate Invariant0.invariant' = Invariant6.invariant',
-  function Model2.model = Model2.model, function Model3.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant5.invariant', function Model0.model = Model3.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model2.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model6.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model2.model, function Model1.model = Model3.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  use mach.int.Int64
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve4 with type t = Type.creusat_decision_decisions
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve3 with type t = Type.creusat_watches_watches
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_trail_trail
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_formula_formula
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_solver_solver
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreuSat_Logic_LogicClause_Impl2_Equals as Equals0 with function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicFormula_Compatible as Compatible0 with predicate Equals0.equals = Equals0.equals
-  clone CreuSat_Logic_LogicFormula_Equisat as Equisat1 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss1.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicFormula_EquisatCompatibleInner as EquisatCompatibleInner0 with predicate Compatible0.compatible = Compatible0.compatible,
-  predicate Equisat0.equisat = Equisat1.equisat
-  clone CreuSat_Logic_LogicFormula_Impl1_EquisatCompatible as EquisatCompatible0 with function Model0.model = Model1.model,
-  predicate EquisatCompatibleInner0.equisat_compatible_inner = EquisatCompatibleInner0.equisat_compatible_inner
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model12 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model11 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Formula_Impl2_SimplifyFormula_Interface as SimplifyFormula0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant2.invariant', predicate Invariant2.invariant' = Invariant1.invariant',
-  predicate Equisat0.equisat = Equisat0.equisat,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_Formula_Impl2_ReduceDb_Interface as ReduceDb0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant2.invariant', predicate Invariant2.invariant' = Invariant1.invariant',
-  predicate Equisat0.equisat = Equisat0.equisat,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_Trail_Impl0_LearnUnit_Interface as LearnUnit0 with predicate Invariant0.invariant' = Invariant1.invariant',
-  predicate Invariant1.invariant' = Invariant3.invariant', predicate Invariant2.invariant' = Invariant0.invariant',
-  function Model0.model = Model0.model, function Model1.model = Model7.model,
-  predicate Invariant3.invariant' = Invariant4.invariant', function Model2.model = Model3.model,
-  function Model3.model = Model6.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_Formula_Impl2_AddUnit_Interface as AddUnit0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', function Model0.model = Model7.model,
-  predicate Invariant2.invariant' = Invariant4.invariant',
-  predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner,
-  function Model1.model = Model12.model,
-  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner,
-  predicate EquisatCompatible0.equisat_compatible = EquisatCompatible0.equisat_compatible,
-  predicate Equisat0.equisat = Equisat0.equisat, function Model2.model = Model0.model,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_Solver_Impl0_HandleLongClause_Interface as HandleLongClause0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant2.invariant',
-  predicate Invariant3.invariant' = Invariant3.invariant', predicate Invariant4.invariant' = Invariant4.invariant',
-  function Model0.model = Model12.model,
-  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner,
-  function Model1.model = Model7.model, predicate Equisat0.equisat = Equisat0.equisat,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_Trail_Impl0_BacktrackSafe_Interface as BacktrackSafe0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant3.invariant',
-  function Model0.model = Model3.model, function Model1.model = Model6.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_Formula_Impl2_AddClause_Interface as AddClause0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant2.invariant',
-  function Model0.model = Model7.model, predicate Invariant3.invariant' = Invariant4.invariant',
-  function Model1.model = Model12.model,
-  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner,
-  predicate Equisat0.equisat = Equisat0.equisat, function Model2.model = Model0.model,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_ConflictAnalysis_AnalyzeConflict_Interface as AnalyzeConflict0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', function Model0.model = Model0.model,
-  predicate Unsat0.unsat = Unsat0.unsat, predicate Invariant2.invariant' = Invariant3.invariant',
-  predicate NotSatisfiable0.not_satisfiable = NotSatisfiable0.not_satisfiable,
-  predicate Invariant3.invariant' = Invariant4.invariant', function Model1.model = Model7.model,
-  predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner,
-  function Model2.model = Model11.model,
-  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg handle_conflict [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 163 4 165 21] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (t : borrowed (Type.creusat_trail_trail)) (cref : usize) (w : borrowed (Type.creusat_watches_watches)) (d : borrowed (Type.creusat_decision_decisions)) : Type.core_option_option bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 149 4 149 37] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 150 4 150 42] Invariant1.invariant' ( * t) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 151 4 151 42] Invariant2.invariant' ( * w) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 152 4 152 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 153 4 153 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 154 4 154 43] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 155 4 155 57] Unsat0.unsat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref)) (Type.creusat_trail_trail_Trail_assignments ( * t))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 149 4 149 37] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 150 4 150 42] Invariant1.invariant' ( ^ t) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 151 4 151 42] Invariant2.invariant' ( ^ w) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 152 4 152 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 156 4 156 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 157 4 157 29] Equisat0.equisat ( * f) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 158 4 162 7] match (result) with
-      | Type.Core_Option_Option_Some (False) -> NotSatisfiable0.not_satisfiable ( ^ f)
-      | Type.Core_Option_Option_Some (True) -> true
-      | Type.Core_Option_Option_None -> true
-      end }
-    
-   =
-  var _0 : Type.core_option_option bool;
-  var self_1 : borrowed (Type.creusat_solver_solver);
-  var f_2 : borrowed (Type.creusat_formula_formula);
-  var t_3 : borrowed (Type.creusat_trail_trail);
-  var cref_4 : usize;
-  var w_5 : borrowed (Type.creusat_watches_watches);
-  var d_6 : borrowed (Type.creusat_decision_decisions);
-  var res_7 : Type.creusat_conflictanalysis_conflict;
-  var _8 : Type.creusat_formula_formula;
-  var _9 : Type.creusat_trail_trail;
-  var _10 : usize;
-  var _11 : borrowed (Type.creusat_decision_decisions);
-  var _12 : ();
-  var _13 : isize;
-  var _14 : ();
-  var clause_15 : Type.creusat_clause_clause;
-  var cref_16 : usize;
-  var _17 : borrowed (Type.creusat_formula_formula);
-  var _18 : Type.creusat_clause_clause;
-  var _19 : Type.creusat_trail_trail;
-  var _20 : ();
-  var _21 : Type.core_result_result () ();
-  var _22 : borrowed (Type.creusat_trail_trail);
-  var _23 : usize;
-  var _24 : Type.creusat_formula_formula;
-  var _25 : borrowed (Type.creusat_decision_decisions);
-  var _26 : isize;
-  var _27 : ();
-  var _28 : ();
-  var _29 : borrowed (Type.creusat_formula_formula);
-  var _30 : borrowed (Type.creusat_watches_watches);
-  var _31 : Type.creusat_trail_trail;
-  var _32 : borrowed (Type.creusat_solver_solver);
-  var _33 : ();
-  var _34 : borrowed (Type.creusat_formula_formula);
-  var _35 : borrowed (Type.creusat_watches_watches);
-  var _36 : Type.creusat_trail_trail;
-  var s_idx_37 : usize;
-  var clause_38 : Type.creusat_clause_clause;
-  var _39 : ();
-  var _40 : borrowed (Type.creusat_solver_solver);
-  var _41 : borrowed (Type.creusat_formula_formula);
-  var _42 : borrowed (Type.creusat_trail_trail);
-  var _43 : borrowed (Type.creusat_watches_watches);
-  var _44 : borrowed (Type.creusat_decision_decisions);
-  var _45 : Type.creusat_clause_clause;
-  var _46 : usize;
-  var clause_47 : Type.creusat_clause_clause;
-  var _48 : usize;
-  var _49 : borrowed (Type.creusat_formula_formula);
-  var _50 : Type.creusat_clause_clause;
-  var _51 : borrowed (Type.creusat_watches_watches);
-  var _52 : Type.creusat_trail_trail;
-  var _53 : ();
-  var _54 : borrowed (Type.creusat_trail_trail);
-  var _55 : Type.creusat_formula_formula;
-  var _56 : borrowed (Type.creusat_decision_decisions);
-  {
-    self_1 <- self;
-    f_2 <- f;
-    t_3 <- t;
-    cref_4 <- cref;
-    w_5 <- w;
-    d_6 <- d;
-    goto BB0
-  }
-  BB0 {
-    _8 <-  * f_2;
-    _9 <-  * t_3;
-    _10 <- cref_4;
-    _11 <- borrow_mut ( * d_6);
-    d_6 <- { d_6 with current = ( ^ _11) };
-    res_7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 166 18 166 49] AnalyzeConflict0.analyze_conflict _8 _9 _10 _11);
-    goto BB1
-  }
-  BB1 {
-    switch (res_7)
-      | Type.CreuSat_ConflictAnalysis_Conflict_Ground -> goto BB4
-      | Type.CreuSat_ConflictAnalysis_Conflict_Unit _ -> goto BB5
-      | Type.CreuSat_ConflictAnalysis_Conflict_Learned _ _ -> goto BB14
-      | Type.CreuSat_ConflictAnalysis_Conflict_Restart _ -> goto BB2
-      end
-  }
-  BB2 {
-    assume { Resolve0.resolve self_1 };
-    clause_47 <- Type.creusat_conflictanalysis_conflict_Restart_0 res_7;
-    _49 <- borrow_mut ( * f_2);
-    f_2 <- { f_2 with current = ( ^ _49) };
-    _50 <- clause_47;
-    _51 <- borrow_mut ( * w_5);
-    w_5 <- { w_5 with current = ( ^ _51) };
-    _52 <-  * t_3;
-    _48 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 187 16 187 42] AddClause0.add_clause _49 _50 _51 _52);
-    goto BB17
-  }
-  BB3 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve f_2 };
-    assume { Resolve2.resolve t_3 };
-    assume { Resolve3.resolve w_5 };
-    assume { Resolve4.resolve d_6 };
-    absurd
-  }
-  BB4 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve f_2 };
-    assume { Resolve2.resolve t_3 };
-    assume { Resolve3.resolve w_5 };
-    assume { Resolve4.resolve d_6 };
-    _0 <- Type.Core_Option_Option_Some false;
-    goto BB23
-  }
-  BB5 {
-    clause_15 <- Type.creusat_conflictanalysis_conflict_Unit_0 res_7;
-    _17 <- borrow_mut ( * f_2);
-    f_2 <- { f_2 with current = ( ^ _17) };
-    _18 <- clause_15;
-    _19 <-  * t_3;
-    cref_16 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 175 27 175 48] AddUnit0.add_unit _17 _18 _19);
-    goto BB6
-  }
-  BB6 {
-    _22 <- borrow_mut ( * t_3);
-    t_3 <- { t_3 with current = ( ^ _22) };
-    _23 <- cref_16;
-    _24 <-  * f_2;
-    _25 <- borrow_mut ( * d_6);
-    d_6 <- { d_6 with current = ( ^ _25) };
-    _21 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 176 22 176 46] LearnUnit0.learn_unit _22 _23 _24 _25);
-    goto BB7
-  }
-  BB7 {
-    assume { Resolve4.resolve d_6 };
-    switch (_21)
-      | Type.Core_Result_Result_Ok _ -> goto BB8
-      | Type.Core_Result_Result_Err _ -> goto BB10
-      end
-  }
-  BB8 {
-    _20 <- ();
-    _29 <- borrow_mut ( * f_2);
-    f_2 <- { f_2 with current = ( ^ _29) };
-    _30 <- borrow_mut ( * w_5);
-    w_5 <- { w_5 with current = ( ^ _30) };
-    _31 <-  * t_3;
-    _32 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _32) };
-    _28 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 180 16 180 38] ReduceDb0.reduceDB _29 _30 _31 _32);
-    goto BB11
-  }
-  BB9 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve f_2 };
-    assume { Resolve2.resolve t_3 };
-    assume { Resolve3.resolve w_5 };
-    absurd
-  }
-  BB10 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve f_2 };
-    assume { Resolve2.resolve t_3 };
-    assume { Resolve3.resolve w_5 };
-    _0 <- Type.Core_Option_Option_Some true;
-    goto BB22
-  }
-  BB11 {
-    assume { Resolve0.resolve self_1 };
-    _34 <- borrow_mut ( * f_2);
-    f_2 <- { f_2 with current = ( ^ _34) };
-    _35 <- borrow_mut ( * w_5);
-    w_5 <- { w_5 with current = ( ^ _35) };
-    _36 <-  * t_3;
-    assume { Resolve2.resolve t_3 };
-    _33 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 181 16 181 40] SimplifyFormula0.simplify_formula _34 _35 _36);
-    goto BB12
-  }
-  BB12 {
-    assume { Resolve1.resolve f_2 };
-    assume { Resolve3.resolve w_5 };
-    _12 <- ();
-    goto BB13
-  }
-  BB13 {
-    goto BB20
-  }
-  BB14 {
-    s_idx_37 <- Type.creusat_conflictanalysis_conflict_Learned_0 res_7;
-    clause_38 <- Type.creusat_conflictanalysis_conflict_Learned_1 res_7;
-    _40 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _40) };
-    _41 <- borrow_mut ( * f_2);
-    f_2 <- { f_2 with current = ( ^ _41) };
-    _42 <- borrow_mut ( * t_3);
-    t_3 <- { t_3 with current = ( ^ _42) };
-    _43 <- borrow_mut ( * w_5);
-    w_5 <- { w_5 with current = ( ^ _43) };
-    _44 <- borrow_mut ( * d_6);
-    d_6 <- { d_6 with current = ( ^ _44) };
-    _45 <- clause_38;
-    _46 <- s_idx_37;
-    _39 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 184 16 184 66] HandleLongClause0.handle_long_clause _40 _41 _42 _43 _44 _45 _46);
-    goto BB15
-  }
-  BB15 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve f_2 };
-    assume { Resolve2.resolve t_3 };
-    assume { Resolve3.resolve w_5 };
-    assume { Resolve4.resolve d_6 };
-    _12 <- ();
-    goto BB16
-  }
-  BB16 {
-    goto BB20
-  }
-  BB17 {
-    assume { Resolve3.resolve w_5 };
-    _54 <- borrow_mut ( * t_3);
-    t_3 <- { t_3 with current = ( ^ _54) };
-    _55 <-  * f_2;
-    assume { Resolve1.resolve f_2 };
-    _56 <- borrow_mut ( * d_6);
-    d_6 <- { d_6 with current = ( ^ _56) };
-    _53 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 188 16 188 41] BacktrackSafe0.backtrack_safe _54 (0 : usize) _55 _56);
-    goto BB18
-  }
-  BB18 {
-    assume { Resolve2.resolve t_3 };
-    assume { Resolve4.resolve d_6 };
-    _12 <- ();
-    goto BB19
-  }
-  BB19 {
-    goto BB20
-  }
-  BB20 {
-    _0 <- Type.Core_Option_Option_None;
-    goto BB21
-  }
-  BB21 {
-    goto BB25
-  }
-  BB22 {
-    goto BB23
-  }
-  BB23 {
-    goto BB24
-  }
-  BB24 {
-    goto BB25
-  }
-  BB25 {
-    return _0
-  }
-  
-end
-module CreuSat_Util_MinLog_Interface
-  use mach.int.Int
-  function min_log (a : int) (b : int) : int
-end
-module CreuSat_Util_MinLog
-  use mach.int.Int
-  function min_log [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 88 0 88 33] (a : int) (b : int) : int =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 87 0 87 8] if a <= b then a else b
-end
-module CreuSat_Util_Min_Interface
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  clone CreuSat_Util_MinLog_Interface as MinLog0
-  val min [@cfg:stackify] (a : usize) (b : usize) : usize
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 96 0 96 38] UInt64.to_int result = MinLog0.min_log (UInt64.to_int a) (UInt64.to_int b) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 97 0 97 38] UInt64.to_int a <= UInt64.to_int b -> UInt64.to_int result = UInt64.to_int a }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 98 0 98 37] UInt64.to_int b < UInt64.to_int a -> UInt64.to_int result = UInt64.to_int b }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 99 0 99 42] UInt64.to_int result <= UInt64.to_int b && UInt64.to_int result <= UInt64.to_int a }
-    
-end
-module CreuSat_Util_Min
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  clone CreuSat_Util_MinLog as MinLog0
-  let rec cfg min [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 100 0 100 39] (a : usize) (b : usize) : usize
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 96 0 96 38] UInt64.to_int result = MinLog0.min_log (UInt64.to_int a) (UInt64.to_int b) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 97 0 97 38] UInt64.to_int a <= UInt64.to_int b -> UInt64.to_int result = UInt64.to_int a }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 98 0 98 37] UInt64.to_int b < UInt64.to_int a -> UInt64.to_int result = UInt64.to_int b }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 99 0 99 42] UInt64.to_int result <= UInt64.to_int b && UInt64.to_int result <= UInt64.to_int a }
-    
-   =
-  var _0 : usize;
-  var a_1 : usize;
-  var b_2 : usize;
-  var _3 : bool;
-  var _4 : usize;
-  var _5 : usize;
-  {
-    a_1 <- a;
-    b_2 <- b;
-    goto BB0
-  }
-  BB0 {
-    _4 <- a_1;
-    _5 <- b_2;
-    _3 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 101 7 101 13] _4 <= _5);
-    switch (_3)
-      | False -> goto BB2
-      | _ -> goto BB1
-      end
-  }
-  BB1 {
-    _0 <- a_1;
-    goto BB3
-  }
-  BB2 {
-    _0 <- b_2;
-    goto BB3
-  }
-  BB3 {
-    return _0
-  }
-  
-end
-module CreuSat_Util_MaxLog_Interface
-  use mach.int.Int
-  function max_log (a : int) (b : int) : int
-end
-module CreuSat_Util_MaxLog
-  use mach.int.Int
-  function max_log [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 109 0 109 33] (a : int) (b : int) : int =
-    [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 108 0 108 8] if a >= b then a else b
-end
-module CreuSat_Util_Max_Interface
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  clone CreuSat_Util_MaxLog_Interface as MaxLog0
-  val max [@cfg:stackify] (a : usize) (b : usize) : usize
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 117 0 117 38] UInt64.to_int result = MaxLog0.max_log (UInt64.to_int a) (UInt64.to_int b) }
-    
-end
-module CreuSat_Util_Max
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  clone CreuSat_Util_MaxLog as MaxLog0
-  let rec cfg max [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 118 0 118 39] (a : usize) (b : usize) : usize
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 117 0 117 38] UInt64.to_int result = MaxLog0.max_log (UInt64.to_int a) (UInt64.to_int b) }
-    
-   =
-  var _0 : usize;
-  var a_1 : usize;
-  var b_2 : usize;
-  var _3 : bool;
-  var _4 : usize;
-  var _5 : usize;
-  {
-    a_1 <- a;
-    b_2 <- b;
-    goto BB0
-  }
-  BB0 {
-    _4 <- a_1;
-    _5 <- b_2;
-    _3 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/util.rs" 119 7 119 13] _4 >= _5);
-    switch (_3)
-      | False -> goto BB2
-      | _ -> goto BB1
-      end
-  }
-  BB1 {
-    _0 <- a_1;
-    goto BB3
-  }
-  BB2 {
-    _0 <- b_2;
-    goto BB3
-  }
-  BB3 {
-    return _0
-  }
-  
-end
-module CreuSat_UnitProp_Swap_Interface
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use seq.Permut
-  use prelude.Prelude
-  use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner_Interface as SatInner0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model2
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val swap [@cfg:stackify] (f : borrowed (Type.creusat_formula_formula)) (trail : Type.creusat_trail_trail) (watches : Type.creusat_watches_watches) (cref : usize) (j : usize) (k : usize) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 52 0 52 33] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 53 0 53 39] Invariant1.invariant' trail ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 54 0 54 41] Invariant2.invariant' watches ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 55 0 55 46] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) >= 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 56 0 56 39] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 57 0 57 46] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) > UInt64.to_int j}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 58 0 58 46] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) > UInt64.to_int k}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 59 0 59 69] not SatInner0.sat_inner (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) 0) (Model2.model (Type.creusat_trail_trail_Trail_assignments trail))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 52 0 52 33] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 53 0 53 39] Invariant1.invariant' trail ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 54 0 54 41] Invariant2.invariant' watches ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 61 0 61 78] Permut.exchange (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int cref))) (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) (UInt64.to_int j) (UInt64.to_int k) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 62 0 62 41] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 63 0 63 55] Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) = Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 65 0 65 25] Equisat0.equisat ( * f) ( ^ f) }
-    
-end
-module CreuSat_UnitProp_Swap
-  use mach.int.UInt64
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.Int32
-  use seq.Permut
-  use prelude.Prelude
-  use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant3 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant3.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model2 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model2.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant6 with function Model0.model = Model2.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model1.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant5 with function Model0.model = Model1.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model0.model = Model1.model
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant7 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant4 with predicate Invariant0.invariant' = Invariant3.invariant',
-  predicate Invariant1.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant4.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner1 with function Model0.model = Model0.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model9.model,
-  function Model1.model = Model0.model, function Model2.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model4 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model0.model,
-  predicate Invariant0.invariant' = Invariant5.invariant', function Model1.model = Model1.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model4.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant2 with function Model0.model = Model6.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model3.model,
-  function Model1.model = Model2.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model3.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model3.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model5.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model2.model,
-  function Model1.model = Model3.model, predicate Invariant0.invariant' = Invariant4.invariant',
-  function Model2.model = Model5.model, function Model3.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant6.invariant', function Model0.model = Model3.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model5.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model2.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model5.model, function Model1.model = Model3.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = seq (Type.creusat_lit_lit)
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = Type.creusat_lit_lit
-  clone CreusotContracts_Std1_Slice_Impl0_Model as Model10 with type t = Type.creusat_lit_lit, axiom .
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model11 with type t = seq (Type.creusat_lit_lit),
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model10.model
-  clone Core_Slice_Impl0_Swap_Interface as Swap0 with type t = Type.creusat_lit_lit,
-  function Model0.model = Model11.model, function Model1.model = Model10.model
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = Type.creusat_clause_clause
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_formula_formula
-  clone Alloc_Vec_Impl11_DerefMut_Interface as DerefMut0 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, function Model0.model = Model10.model, function Model1.model = Model7.model
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = Type.creusat_clause_clause, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model0.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  let rec cfg swap [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 66 0 66 91] (f : borrowed (Type.creusat_formula_formula)) (trail : Type.creusat_trail_trail) (watches : Type.creusat_watches_watches) (cref : usize) (j : usize) (k : usize) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 52 0 52 33] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 53 0 53 39] Invariant1.invariant' trail ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 54 0 54 41] Invariant2.invariant' watches ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 55 0 55 46] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) >= 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 56 0 56 39] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 57 0 57 46] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) > UInt64.to_int j}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 58 0 58 46] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) > UInt64.to_int k}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 59 0 59 69] not SatInner0.sat_inner (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) 0) (Model2.model (Type.creusat_trail_trail_Trail_assignments trail))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 52 0 52 33] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 53 0 53 39] Invariant1.invariant' trail ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 54 0 54 41] Invariant2.invariant' watches ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 61 0 61 78] Permut.exchange (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int cref))) (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) (UInt64.to_int j) (UInt64.to_int k) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 62 0 62 41] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 63 0 63 55] Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) = Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 65 0 65 25] Equisat0.equisat ( * f) ( ^ f) }
-    
-   =
-  var _0 : ();
-  var f_1 : borrowed (Type.creusat_formula_formula);
-  var trail_2 : Type.creusat_trail_trail;
-  var watches_3 : Type.creusat_watches_watches;
-  var cref_4 : usize;
-  var j_5 : usize;
-  var k_6 : usize;
-  ghost var old_f_7 : borrowed (Type.creusat_formula_formula);
-  var _8 : ();
-  var _9 : ();
-  var _10 : ();
-  var _11 : ();
-  var _12 : borrowed (seq (Type.creusat_lit_lit));
-  var _13 : borrowed (seq (Type.creusat_lit_lit));
-  var _14 : borrowed (Type.alloc_vec_vec (Type.creusat_lit_lit) (Type.alloc_alloc_global));
-  var _15 : borrowed (Type.creusat_clause_clause);
-  var _16 : borrowed (Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global));
-  var _17 : usize;
-  var _18 : usize;
-  var _19 : usize;
-  var _20 : ();
-  var _21 : ();
-  var _22 : ();
-  var _23 : ();
-  var _24 : ();
-  var _25 : ();
-  {
-    f_1 <- f;
-    trail_2 <- trail;
-    watches_3 <- watches;
-    cref_4 <- cref;
-    j_5 <- j;
-    k_6 <- k;
-    goto BB0
-  }
-  BB0 {
-    _8 <- ();
-    old_f_7 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 67 16 67 28] f_1);
-    goto BB1
-  }
-  BB1 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 68 4 68 67] NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4))) };
-    _9 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 69 4 69 89] LongArePostUnitInner0.long_are_post_unit_inner (Model3.model (Type.creusat_trail_trail_Trail_trail trail_2)) ( * f_1) (Model2.model (Type.creusat_trail_trail_Trail_assignments trail_2)) && true };
-    _10 <- ();
-    _16 <- borrow_mut (Type.creusat_formula_formula_Formula_clauses ( * f_1));
-    f_1 <- { f_1 with current = (let Type.CreuSat_Formula_Formula a b =  * f_1 in Type.CreuSat_Formula_Formula ( ^ _16) b) };
-    assume { Resolve0.resolve f_1 };
-    _17 <- cref_4;
-    _15 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 71 4 71 19] IndexMut0.index_mut _16 _17);
-    goto BB2
-  }
-  BB2 {
-    _14 <- borrow_mut (Type.creusat_clause_clause_Clause_lits ( * _15));
-    _15 <- { _15 with current = (let Type.CreuSat_Clause_Clause a b c d =  * _15 in Type.CreuSat_Clause_Clause a b c ( ^ _14)) };
-    assume { Resolve1.resolve _15 };
-    _13 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 71 4 71 35] DerefMut0.deref_mut _14);
-    goto BB3
-  }
-  BB3 {
-    _12 <- borrow_mut ( * _13);
-    _13 <- { _13 with current = ( ^ _12) };
-    _18 <- j_5;
-    _19 <- k_6;
-    _11 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 71 4 71 35] Swap0.swap _12 _18 _19);
-    goto BB4
-  }
-  BB4 {
-    assume { Resolve2.resolve _13 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 72 4 72 84] Permut.exchange (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4))) (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * old_f_7))) (UInt64.to_int cref_4))) (UInt64.to_int j_5) (UInt64.to_int k_6) };
-    _20 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 73 4 77 6] forall i : (int) . 0 <= i && i < Seq.length (Model3.model (Type.creusat_trail_trail_Trail_trail trail_2)) -> match (Type.creusat_trail_step_Step_reason (Seq.get (Model3.model (Type.creusat_trail_trail_Trail_trail trail_2)) i)) with
-      | Type.CreuSat_Trail_Reason_Long cref2 -> UInt64.to_int cref_4 <> UInt64.to_int cref2
-      | _ -> true
-      end };
-    _21 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 78 4 78 73] VarsInRangeInner0.vars_in_range_inner (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4))) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f_1))) };
-    _22 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 79 4 79 67] NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4))) };
-    _23 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 80 4 80 81] LongArePostUnitInner0.long_are_post_unit_inner (Model3.model (Type.creusat_trail_trail_Trail_trail trail_2)) ( * f_1) (Model2.model (Type.creusat_trail_trail_Trail_assignments trail_2)) };
-    _24 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 81 4 81 51] CrefsInRange0.crefs_in_range (Model3.model (Type.creusat_trail_trail_Trail_trail trail_2)) ( * f_1) };
-    _25 <- ();
-    _0 <- ();
-    return _0
-  }
-  
-end
-module CreuSat_Watches_UpdateWatch_Interface
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use seq.Seq
-  use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model3 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic_Interface as ToWatchidxLogic0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model2 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant0
-  val update_watch [@cfg:stackify] (f : Type.creusat_formula_formula) (trail : Type.creusat_trail_trail) (watches : borrowed (Type.creusat_watches_watches)) (cref : usize) (j : usize) (k : usize) (lit : Type.creusat_lit_lit) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 30 0 30 41] Invariant0.invariant' ( * watches) f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 31 0 31 40] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 32 0 32 44] IndexLogic0.index_logic lit < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 33 0 33 26] Invariant1.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 34 0 34 32] Invariant2.invariant' trail f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 35 0 35 39] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 36 0 36 57] 0 <= UInt64.to_int k && UInt64.to_int k < Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 37 0 37 46] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) >= 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 38 0 38 70] Seq.length (Model3.model (Seq.get (Model2.model (Type.creusat_watches_watches_Watches_watches ( * watches))) (ToWatchidxLogic0.to_watchidx_logic lit))) > UInt64.to_int j}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 30 0 30 41] Invariant0.invariant' ( ^ watches) f }
-    
-end
-module CreuSat_Watches_UpdateWatch
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use seq.Seq
-  use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model8 with function Model0.model = Model9.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant4 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreuSat_Logic_LogicUtil_Pop as Pop0 with type t = Type.creusat_watches_watcher, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model7.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant7 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model4 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicWatches_WatcherCrefsInRange as WatcherCrefsInRange0 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicWatches_LemmaPushMaintainsWatcherInvariant as LemmaPushMaintainsWatcherInvariant0 with predicate WatcherCrefsInRange0.watcher_crefs_in_range = WatcherCrefsInRange0.watcher_crefs_in_range,
-  function Model0.model = Model0.model, axiom .
-  clone CreuSat_Logic_LogicWatches_LemmaPopWatchMaintainsWatcherInvariant as LemmaPopWatchMaintainsWatcherInvariant0 with predicate WatcherCrefsInRange0.watcher_crefs_in_range = WatcherCrefsInRange0.watcher_crefs_in_range,
-  function Pop0.pop = Pop0.pop, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model5.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model6.model,
-  function Model1.model = Model8.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model8.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant6 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant3 with function Model0.model = Model1.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant3.invariant',
-  function Model0.model = Model1.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model0.model,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model1.model = Model1.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model4.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant5 with predicate Invariant0.invariant' = Invariant6.invariant',
-  predicate Invariant1.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model6.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model6.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model8.model,
-  function Model1.model = Model6.model, predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model2.model = Model5.model, function Model3.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model0.model = Model6.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model5.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model8.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant2 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model5.model, function Model1.model = Model6.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model3.model,
-  function Model1.model = Model0.model, function Model2.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicWatches_WatchValid as WatchValid0 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model, function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl0_ToNegWatchidxLogic as ToNegWatchidxLogic0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic as ToWatchidxLogic0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant0 with function Model0.model = Model2.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  use mach.int.Int64
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_watches_watches
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy3
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy2
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = seq (Type.creusat_watches_watcher)
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = Type.creusat_watches_watcher
-  clone CreusotContracts_Std1_Slice_Impl0_Model as Model10 with type t = Type.creusat_watches_watcher, axiom .
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model11 with type t = seq (Type.creusat_watches_watcher),
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model10.model
-  clone Core_Slice_Impl0_Swap_Interface as Swap0 with type t = Type.creusat_watches_watcher,
-  function Model0.model = Model11.model, function Model1.model = Model10.model
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone Alloc_Vec_Impl1_Push_Interface as Push0 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, function Model0.model = Model3.model
-  clone Alloc_Vec_Impl1_Pop_Interface as Pop1 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, function Model0.model = Model3.model
-  clone Alloc_Vec_Impl11_DerefMut_Interface as DerefMut0 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, function Model0.model = Model10.model, function Model1.model = Model3.model
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, function Model0.model = Model3.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model13 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy3.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Clause_Impl0_Index_Interface as Index2 with function Model0.model = Model13.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model12 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy2.modelTy, function Model0.model = Model4.model
-  clone CreuSat_Formula_Impl0_Index_Interface as Index1 with function Model0.model = Model12.model
-  clone CreuSat_Lit_Impl1_ToNegWatchidx_Interface as ToNegWatchidx0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function ToNegWatchidxLogic0.to_neg_watchidx_logic = ToNegWatchidxLogic0.to_neg_watchidx_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Lit_Impl1_ToWatchidx_Interface as ToWatchidx0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function ToWatchidxLogic0.to_watchidx_logic = ToWatchidxLogic0.to_watchidx_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type i = usize, type a = Type.alloc_alloc_global, function Model0.model = Model2.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type i = usize, type a = Type.alloc_alloc_global, function Model0.model = Model2.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  let rec cfg update_watch [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 39 0 39 113] (f : Type.creusat_formula_formula) (trail : Type.creusat_trail_trail) (watches : borrowed (Type.creusat_watches_watches)) (cref : usize) (j : usize) (k : usize) (lit : Type.creusat_lit_lit) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 30 0 30 41] Invariant0.invariant' ( * watches) f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 31 0 31 40] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 32 0 32 44] IndexLogic0.index_logic lit < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 33 0 33 26] Invariant1.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 34 0 34 32] Invariant2.invariant' trail f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 35 0 35 39] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 36 0 36 57] 0 <= UInt64.to_int k && UInt64.to_int k < Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 37 0 37 46] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) >= 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 38 0 38 70] Seq.length (Model3.model (Seq.get (Model2.model (Type.creusat_watches_watches_Watches_watches ( * watches))) (ToWatchidxLogic0.to_watchidx_logic lit))) > UInt64.to_int j}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 30 0 30 41] Invariant0.invariant' ( ^ watches) f }
-    
-   =
-  var _0 : ();
-  var f_1 : Type.creusat_formula_formula;
-  var trail_2 : Type.creusat_trail_trail;
-  var watches_3 : borrowed (Type.creusat_watches_watches);
-  var cref_4 : usize;
-  var j_5 : usize;
-  var k_6 : usize;
-  var lit_7 : Type.creusat_lit_lit;
-  var watchidx_8 : usize;
-  var _9 : Type.creusat_lit_lit;
-  var end'_10 : usize;
-  var _11 : usize;
-  var _12 : Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global);
-  var _13 : Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global);
-  var _14 : Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global);
-  var _15 : usize;
-  var _16 : ();
-  var _17 : borrowed (seq (Type.creusat_watches_watcher));
-  var _18 : borrowed (seq (Type.creusat_watches_watcher));
-  var _19 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _20 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _21 : borrowed (Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global));
-  var _22 : usize;
-  var _23 : usize;
-  var _24 : usize;
-  var curr_lit_25 : Type.creusat_lit_lit;
-  var _26 : Type.creusat_lit_lit;
-  var _27 : Type.creusat_clause_clause;
-  var _28 : Type.creusat_clause_clause;
-  var _29 : Type.creusat_formula_formula;
-  var _30 : usize;
-  var _31 : usize;
-  var _32 : ();
-  ghost var old_w_33 : borrowed (Type.creusat_watches_watches);
-  var _34 : ();
-  var _35 : ();
-  var _36 : Type.core_option_option (Type.creusat_watches_watcher);
-  var _37 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _38 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _39 : borrowed (Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global));
-  var _40 : usize;
-  var _41 : isize;
-  var w_42 : Type.creusat_watches_watcher;
-  var _43 : ();
-  var _44 : ();
-  var _45 : ();
-  var _46 : ();
-  var _47 : ();
-  var _48 : ();
-  var _49 : ();
-  var _50 : ();
-  var watch_lit_51 : usize;
-  var _52 : Type.creusat_lit_lit;
-  var _53 : ();
-  var _54 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _55 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _56 : borrowed (Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global));
-  var _57 : usize;
-  var _58 : Type.creusat_watches_watcher;
-  var _59 : ();
-  var _60 : ();
-  var _61 : ();
-  var _62 : ();
-  var _63 : ();
-  {
-    f_1 <- f;
-    trail_2 <- trail;
-    watches_3 <- watches;
-    cref_4 <- cref;
-    j_5 <- j;
-    k_6 <- k;
-    lit_7 <- lit;
-    goto BB0
-  }
-  BB0 {
-    _9 <- lit_7;
-    watchidx_8 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 40 19 40 36] ToWatchidx0.to_watchidx _9);
-    goto BB1
-  }
-  BB1 {
-    _14 <- Type.creusat_watches_watches_Watches_watches ( * watches_3);
-    _15 <- watchidx_8;
-    _13 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 41 14 41 39] Index0.index _14 _15);
-    goto BB2
-  }
-  BB2 {
-    _12 <- _13;
-    _11 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 41 14 41 45] Len0.len _12);
-    goto BB3
-  }
-  BB3 {
-    end'_10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 41 14 41 49] _11 - (1 : usize));
-    _21 <- borrow_mut (Type.creusat_watches_watches_Watches_watches ( * watches_3));
-    watches_3 <- { watches_3 with current = (let Type.CreuSat_Watches_Watches a =  * watches_3 in Type.CreuSat_Watches_Watches ( ^ _21)) };
-    _22 <- watchidx_8;
-    _20 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 42 4 42 29] IndexMut0.index_mut _21 _22);
-    goto BB4
-  }
-  BB4 {
-    _19 <- borrow_mut ( * _20);
-    _20 <- { _20 with current = ( ^ _19) };
-    assume { Resolve0.resolve _20 };
-    _18 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 42 4 42 42] DerefMut0.deref_mut _19);
-    goto BB5
-  }
-  BB5 {
-    _17 <- borrow_mut ( * _18);
-    _18 <- { _18 with current = ( ^ _17) };
-    _23 <- j_5;
-    _24 <- end'_10;
-    _16 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 42 4 42 42] Swap0.swap _17 _23 _24);
-    goto BB6
-  }
-  BB6 {
-    assume { Resolve1.resolve _18 };
-    _29 <- f_1;
-    _30 <- cref_4;
-    _28 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 43 19 43 26] Index1.index _29 _30);
-    goto BB7
-  }
-  BB7 {
-    _27 <- _28;
-    _31 <- k_6;
-    _26 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 43 19 43 29] Index2.index _27 _31);
-    goto BB8
-  }
-  BB8 {
-    curr_lit_25 <- _26;
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 44 4 44 55] UInt64.to_int watchidx_8 < Seq.length (Model2.model (Type.creusat_watches_watches_Watches_watches ( * watches_3))) };
-    _32 <- ();
-    _34 <- ();
-    old_w_33 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 45 16 45 31] watches_3);
-    goto BB9
-  }
-  BB9 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 46 4 46 77] WatcherCrefsInRange0.watcher_crefs_in_range (Model3.model (Seq.get (Model2.model (Type.creusat_watches_watches_Watches_watches ( * watches_3))) (UInt64.to_int watchidx_8))) f_1 };
-    _35 <- ();
-    _39 <- borrow_mut (Type.creusat_watches_watches_Watches_watches ( * watches_3));
-    watches_3 <- { watches_3 with current = (let Type.CreuSat_Watches_Watches a =  * watches_3 in Type.CreuSat_Watches_Watches ( ^ _39)) };
-    _40 <- watchidx_8;
-    _38 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 47 10 47 35] IndexMut0.index_mut _39 _40);
-    goto BB10
-  }
-  BB10 {
-    _37 <- borrow_mut ( * _38);
-    _38 <- { _38 with current = ( ^ _37) };
-    _36 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 47 10 47 41] Pop1.pop _37);
-    goto BB11
-  }
-  BB11 {
-    assume { Resolve0.resolve _38 };
-    switch (_36)
-      | Type.Core_Option_Option_None -> goto BB12
-      | Type.Core_Option_Option_Some _ -> goto BB14
-      end
-  }
-  BB12 {
-    assume { Resolve2.resolve watches_3 };
-    absurd
-  }
-  BB13 {
-    assume { Resolve2.resolve watches_3 };
-    absurd
-  }
-  BB14 {
-    w_42 <- Type.core_option_option_Some_0 _36;
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 49 12 49 110] let _ = LemmaPopWatchMaintainsWatcherInvariant0.lemma_pop_watch_maintains_watcher_invariant (Model3.model (Seq.get (Model2.model (Type.creusat_watches_watches_Watches_watches ( * old_w_33))) (UInt64.to_int watchidx_8))) f_1 in true };
-    _43 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 50 12 50 94] Model3.model (Seq.get (Model2.model (Type.creusat_watches_watches_Watches_watches ( * watches_3))) (UInt64.to_int watchidx_8)) = Pop0.pop (Model3.model (Seq.get (Model2.model (Type.creusat_watches_watches_Watches_watches ( * old_w_33))) (UInt64.to_int watchidx_8))) };
-    _44 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 51 12 51 85] WatcherCrefsInRange0.watcher_crefs_in_range (Model3.model (Seq.get (Model2.model (Type.creusat_watches_watches_Watches_watches ( * watches_3))) (UInt64.to_int watchidx_8))) f_1 };
-    _45 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 52 12 52 48] Invariant0.invariant' ( * watches_3) f_1 };
-    _46 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 53 12 53 86] ToNegWatchidxLogic0.to_neg_watchidx_logic curr_lit_25 < Seq.length (Model2.model (Type.creusat_watches_watches_Watches_watches ( * watches_3))) };
-    _47 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 54 12 54 108] WatcherCrefsInRange0.watcher_crefs_in_range (Model3.model (Seq.get (Model2.model (Type.creusat_watches_watches_Watches_watches ( * watches_3))) (ToNegWatchidxLogic0.to_neg_watchidx_logic curr_lit_25))) f_1 };
-    _48 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 55 12 55 55] UInt64.to_int (Type.creusat_watches_watcher_Watcher_cref w_42) < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f_1)) };
-    _49 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 56 12 56 133] let _ = LemmaPushMaintainsWatcherInvariant0.lemma_push_maintains_watcher_invariant (Model3.model (Seq.get (Model2.model (Type.creusat_watches_watches_Watches_watches ( * watches_3))) (ToNegWatchidxLogic0.to_neg_watchidx_logic curr_lit_25))) f_1 w_42 in true };
-    _50 <- ();
-    _52 <- curr_lit_25;
-    watch_lit_51 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 58 28 58 54] ToNegWatchidx0.to_neg_watchidx _52);
-    goto BB15
-  }
-  BB15 {
-    _56 <- borrow_mut (Type.creusat_watches_watches_Watches_watches ( * watches_3));
-    watches_3 <- { watches_3 with current = (let Type.CreuSat_Watches_Watches a =  * watches_3 in Type.CreuSat_Watches_Watches ( ^ _56)) };
-    assume { Resolve2.resolve watches_3 };
-    _57 <- watch_lit_51;
-    _55 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 59 12 59 38] IndexMut0.index_mut _56 _57);
-    goto BB16
-  }
-  BB16 {
-    _54 <- borrow_mut ( * _55);
-    _55 <- { _55 with current = ( ^ _54) };
-    _58 <- w_42;
-    _53 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 59 12 59 46] Push0.push _54 _58);
-    goto BB17
-  }
-  BB17 {
-    assume { Resolve0.resolve _55 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 61 12 61 77] WatchValid0.watch_valid (Model3.model (Seq.get (Model2.model (Type.creusat_watches_watches_Watches_watches ( * watches_3))) (UInt64.to_int watch_lit_51))) f_1 };
-    _59 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 62 12 62 108] WatcherCrefsInRange0.watcher_crefs_in_range (Model3.model (Seq.get (Model2.model (Type.creusat_watches_watches_Watches_watches ( * watches_3))) (ToNegWatchidxLogic0.to_neg_watchidx_logic curr_lit_25))) f_1 };
-    _60 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 63 12 63 48] Invariant0.invariant' ( * watches_3) f_1 };
-    _61 <- ();
-    _0 <- ();
-    return _0
-  }
-  
-end
-module CreuSat_UnitProp_CheckAndMoveWatch_Interface
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use seq.Seq
-  use Type
-  clone CreuSat_Logic_LogicLit_Impl1_Unsat_Interface as Unsat0
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model4 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic_Interface as ToWatchidxLogic0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model3 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner_Interface as SatInner0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model2
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val check_and_move_watch [@cfg:stackify] (f : borrowed (Type.creusat_formula_formula)) (trail : Type.creusat_trail_trail) (watches : borrowed (Type.creusat_watches_watches)) (cref : usize) (j : usize) (k : usize) (lit : Type.creusat_lit_lit) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 16 0 16 33] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 17 0 17 36] Invariant1.invariant' trail ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 18 0 18 44] Invariant2.invariant' ( * watches) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 19 0 19 40] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 20 0 20 44] IndexLogic0.index_logic lit < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 21 0 21 69] not SatInner0.sat_inner (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) 0) (Model2.model (Type.creusat_trail_trail_Trail_assignments trail))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 22 0 22 39] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 23 0 23 57] 2 <= UInt64.to_int k && UInt64.to_int k < Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 24 0 24 70] Seq.length (Model4.model (Seq.get (Model3.model (Type.creusat_watches_watches_Watches_watches ( * watches))) (ToWatchidxLogic0.to_watchidx_logic lit))) > UInt64.to_int j}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 16 0 16 33] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 17 0 17 36] Invariant1.invariant' trail ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 18 0 18 44] Invariant2.invariant' ( ^ watches) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 25 0 25 41] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 26 0 26 25] Equisat0.equisat ( * f) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 27 0 27 55] Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) = Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 28 0 28 114] not result -> Unsat0.unsat (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int cref))) (UInt64.to_int k)) (Type.creusat_trail_trail_Trail_assignments trail) &&  ^ f =  * f &&  * watches =  ^ watches }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 29 0 29 75] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int cref))) = Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) }
-    
-end
-module CreuSat_UnitProp_CheckAndMoveWatch
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use seq.Seq
-  use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model2 with function Model0.model = Model9.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant4 with function Model0.model = Model2.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model8.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant7 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model5 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant6 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant3 with function Model0.model = Model1.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant3.invariant',
-  function Model0.model = Model1.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model0.model,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model1.model = Model1.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model5.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant5 with predicate Invariant0.invariant' = Invariant6.invariant',
-  predicate Invariant1.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Unsat as Unsat0 with function Model0.model = Model2.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model4.model,
-  function Model1.model = Model0.model, function Model2.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic as ToWatchidxLogic0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model1.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner1 with function Model0.model = Model0.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model2.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model, predicate Sat0.sat = Sat0.sat
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant2 with function Model0.model = Model3.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model7.model,
-  function Model1.model = Model2.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model7.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model7.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model6.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model2.model,
-  function Model1.model = Model7.model, predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model2.model = Model6.model, function Model3.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model0.model = Model7.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model6.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model2.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model6.model, function Model1.model = Model7.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_watches_watches
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_formula_formula
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy2
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy1
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model12 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy2.modelTy, function Model0.model = Model2.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model11 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Clause_Impl0_Index_Interface as Index1 with function Model0.model = Model11.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model10 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model5.model
-  clone CreuSat_Formula_Impl0_Index_Interface as Index0 with function Model0.model = Model10.model
-  clone CreuSat_Lit_Impl1_Index_Interface as Index2 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Lit_Impl1_LitUnsat_Interface as LitUnsat0 with function Model0.model = Model12.model,
-  predicate Invariant0.invariant' = Invariant6.invariant', predicate Unsat0.unsat = Unsat0.unsat
-  clone CreuSat_Watches_UpdateWatch_Interface as UpdateWatch0 with predicate Invariant0.invariant' = Invariant2.invariant',
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate Invariant1.invariant' = Invariant0.invariant',
-  predicate Invariant2.invariant' = Invariant1.invariant', function Model0.model = Model0.model,
-  function Model1.model = Model1.model, function Model2.model = Model3.model,
-  function ToWatchidxLogic0.to_watchidx_logic = ToWatchidxLogic0.to_watchidx_logic,
-  function Model3.model = Model4.model, predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_UnitProp_Swap_Interface as Swap0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant2.invariant',
-  function Model0.model = Model0.model, function Model1.model = Model1.model, function Model2.model = Model2.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner, predicate Equisat0.equisat = Equisat0.equisat,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg check_and_move_watch [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 30 0 32 9] (f : borrowed (Type.creusat_formula_formula)) (trail : Type.creusat_trail_trail) (watches : borrowed (Type.creusat_watches_watches)) (cref : usize) (j : usize) (k : usize) (lit : Type.creusat_lit_lit) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 16 0 16 33] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 17 0 17 36] Invariant1.invariant' trail ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 18 0 18 44] Invariant2.invariant' ( * watches) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 19 0 19 40] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 20 0 20 44] IndexLogic0.index_logic lit < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 21 0 21 69] not SatInner0.sat_inner (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) 0) (Model2.model (Type.creusat_trail_trail_Trail_assignments trail))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 22 0 22 39] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 23 0 23 57] 2 <= UInt64.to_int k && UInt64.to_int k < Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 24 0 24 70] Seq.length (Model4.model (Seq.get (Model3.model (Type.creusat_watches_watches_Watches_watches ( * watches))) (ToWatchidxLogic0.to_watchidx_logic lit))) > UInt64.to_int j}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 16 0 16 33] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 17 0 17 36] Invariant1.invariant' trail ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 18 0 18 44] Invariant2.invariant' ( ^ watches) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 25 0 25 41] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 26 0 26 25] Equisat0.equisat ( * f) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 27 0 27 55] Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) = Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 28 0 28 114] not result -> Unsat0.unsat (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int cref))) (UInt64.to_int k)) (Type.creusat_trail_trail_Trail_assignments trail) &&  ^ f =  * f &&  * watches =  ^ watches }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 29 0 29 75] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int cref))) = Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) }
-    
-   =
-  var _0 : bool;
-  var f_1 : borrowed (Type.creusat_formula_formula);
-  var trail_2 : Type.creusat_trail_trail;
-  var watches_3 : borrowed (Type.creusat_watches_watches);
-  var cref_4 : usize;
-  var j_5 : usize;
-  var k_6 : usize;
-  var lit_7 : Type.creusat_lit_lit;
-  var _8 : ();
-  var curr_lit_9 : Type.creusat_lit_lit;
-  var _10 : Type.creusat_lit_lit;
-  var _11 : Type.creusat_clause_clause;
-  var _12 : Type.creusat_clause_clause;
-  var _13 : Type.creusat_formula_formula;
-  var _14 : usize;
-  var _15 : usize;
-  var _16 : ();
-  var _17 : bool;
-  var _18 : bool;
-  var _19 : Type.creusat_lit_lit;
-  var _20 : Type.creusat_assignments_assignments;
-  var _21 : Type.creusat_assignments_assignments;
-  var _22 : ();
-  var _23 : ();
-  var _24 : bool;
-  var _25 : usize;
-  var _26 : Type.creusat_lit_lit;
-  var _27 : Type.creusat_lit_lit;
-  var _28 : Type.creusat_clause_clause;
-  var _29 : Type.creusat_clause_clause;
-  var _30 : Type.creusat_formula_formula;
-  var _31 : usize;
-  var _32 : usize;
-  var _33 : Type.creusat_lit_lit;
-  var _34 : ();
-  var _35 : borrowed (Type.creusat_formula_formula);
-  var _36 : Type.creusat_trail_trail;
-  var _37 : Type.creusat_watches_watches;
-  var _38 : usize;
-  var _39 : usize;
-  var _40 : ();
-  var _41 : Type.creusat_formula_formula;
-  var _42 : Type.creusat_trail_trail;
-  var _43 : borrowed (Type.creusat_watches_watches);
-  var _44 : usize;
-  var _45 : usize;
-  var _46 : Type.creusat_lit_lit;
-  var _47 : ();
-  var _48 : borrowed (Type.creusat_formula_formula);
-  var _49 : Type.creusat_trail_trail;
-  var _50 : Type.creusat_watches_watches;
-  var _51 : usize;
-  var _52 : usize;
-  var _53 : ();
-  var _54 : borrowed (Type.creusat_formula_formula);
-  var _55 : Type.creusat_trail_trail;
-  var _56 : Type.creusat_watches_watches;
-  var _57 : usize;
-  var _58 : ();
-  var _59 : Type.creusat_formula_formula;
-  var _60 : Type.creusat_trail_trail;
-  var _61 : borrowed (Type.creusat_watches_watches);
-  var _62 : usize;
-  var _63 : usize;
-  var _64 : Type.creusat_lit_lit;
-  {
-    f_1 <- f;
-    trail_2 <- trail;
-    watches_3 <- watches;
-    cref_4 <- cref;
-    j_5 <- j;
-    k_6 <- k;
-    lit_7 <- lit;
-    goto BB0
-  }
-  BB0 {
-    _13 <-  * f_1;
-    _14 <- cref_4;
-    _12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 33 19 33 26] Index0.index _13 _14);
-    goto BB1
-  }
-  BB1 {
-    _11 <- _12;
-    _15 <- k_6;
-    _10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 33 19 33 29] Index1.index _11 _15);
-    goto BB2
-  }
-  BB2 {
-    curr_lit_9 <- _10;
-    _19 <- curr_lit_9;
-    _21 <- Type.creusat_trail_trail_Trail_assignments trail_2;
-    _20 <- _21;
-    _18 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 34 8 34 46] LitUnsat0.lit_unsat _19 _20);
-    goto BB3
-  }
-  BB3 {
-    _17 <- not _18;
-    switch (_17)
-      | False -> goto BB17
-      | _ -> goto BB4
-      end
-  }
-  BB4 {
-    _30 <-  * f_1;
-    _31 <- cref_4;
-    _29 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 36 11 36 18] Index0.index _30 _31);
-    goto BB5
-  }
-  BB5 {
-    _28 <- _29;
-    _27 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 36 11 36 21] Index1.index _28 (0 : usize));
-    goto BB6
-  }
-  BB6 {
-    _26 <- _27;
-    _25 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 36 11 36 29] Index2.index _26);
-    goto BB7
-  }
-  BB7 {
-    _33 <- lit_7;
-    _32 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 36 33 36 44] Index2.index _33);
-    goto BB8
-  }
-  BB8 {
-    _24 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 36 11 36 44] _25 = _32);
-    switch (_24)
-      | False -> goto BB12
-      | _ -> goto BB9
-      end
-  }
-  BB9 {
-    _35 <- borrow_mut ( * f_1);
-    f_1 <- { f_1 with current = ( ^ _35) };
-    _36 <- trail_2;
-    _37 <-  * watches_3;
-    _38 <- cref_4;
-    _39 <- k_6;
-    _34 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 38 12 38 47] Swap0.swap _35 _36 _37 _38 _39 (0 : usize));
-    goto BB10
-  }
-  BB10 {
-    _41 <-  * f_1;
-    assume { Resolve0.resolve f_1 };
-    _42 <- trail_2;
-    _43 <- borrow_mut ( * watches_3);
-    watches_3 <- { watches_3 with current = ( ^ _43) };
-    _44 <- cref_4;
-    _45 <- j_5;
-    _46 <- lit_7;
-    _40 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 39 12 39 60] UpdateWatch0.update_watch _41 _42 _43 _44 _45 (0 : usize) _46);
-    goto BB11
-  }
-  BB11 {
-    assume { Resolve1.resolve watches_3 };
-    _23 <- ();
-    goto BB16
-  }
-  BB12 {
-    _48 <- borrow_mut ( * f_1);
-    f_1 <- { f_1 with current = ( ^ _48) };
-    _49 <- trail_2;
-    _50 <-  * watches_3;
-    _51 <- cref_4;
-    _52 <- k_6;
-    _47 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 41 12 41 47] Swap0.swap _48 _49 _50 _51 _52 (1 : usize));
-    goto BB13
-  }
-  BB13 {
-    _54 <- borrow_mut ( * f_1);
-    f_1 <- { f_1 with current = ( ^ _54) };
-    _55 <- trail_2;
-    _56 <-  * watches_3;
-    _57 <- cref_4;
-    _53 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 42 12 42 47] Swap0.swap _54 _55 _56 _57 (1 : usize) (0 : usize));
-    goto BB14
-  }
-  BB14 {
-    _59 <-  * f_1;
-    assume { Resolve0.resolve f_1 };
-    _60 <- trail_2;
-    _61 <- borrow_mut ( * watches_3);
-    watches_3 <- { watches_3 with current = ( ^ _61) };
-    _62 <- cref_4;
-    _63 <- j_5;
-    _64 <- lit_7;
-    _58 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 44 12 44 60] UpdateWatch0.update_watch _59 _60 _61 _62 _63 (0 : usize) _64);
-    goto BB15
-  }
-  BB15 {
-    assume { Resolve1.resolve watches_3 };
-    _23 <- ();
-    goto BB16
-  }
-  BB16 {
-    _0 <- true;
-    goto BB18
-  }
-  BB17 {
-    assume { Resolve0.resolve f_1 };
-    assume { Resolve1.resolve watches_3 };
-    _16 <- ();
-    _0 <- false;
-    goto BB18
-  }
-  BB18 {
-    return _0
-  }
-  
-end
-module CreuSat_UnitProp_ExistsNewWatchableLit_Interface
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use seq.Seq
-  use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
-  clone CreuSat_Logic_LogicLit_Impl1_Unsat_Interface as Unsat0
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner_Interface as SatInner0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model4
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model3
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model2 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic_Interface as ToWatchidxLogic0
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val exists_new_watchable_lit [@cfg:stackify] (f : borrowed (Type.creusat_formula_formula)) (trail : Type.creusat_trail_trail) (watches : borrowed (Type.creusat_watches_watches)) (cref : usize) (j : usize) (lit : Type.creusat_lit_lit) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 86 0 86 33] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 87 0 87 38] Invariant1.invariant' trail ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 88 0 88 44] Invariant2.invariant' ( * watches) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 89 0 89 40] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 90 0 90 63] ToWatchidxLogic0.to_watchidx_logic lit < Seq.length (Model0.model (Type.creusat_watches_watches_Watches_watches ( * watches)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 91 0 91 70] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_watches_watches_Watches_watches ( * watches))) (ToWatchidxLogic0.to_watchidx_logic lit))) > UInt64.to_int j}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 92 0 92 44] IndexLogic0.index_logic lit < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 93 0 93 39] UInt64.to_int cref < Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 94 0 94 46] Seq.length (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) >= 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 95 0 95 69] not SatInner0.sat_inner (Seq.get (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) 0) (Model4.model (Type.creusat_trail_trail_Trail_assignments trail))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 86 0 86 33] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 87 0 87 38] Invariant1.invariant' trail ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 88 0 88 44] Invariant2.invariant' ( ^ watches) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 96 0 96 136] not result -> (forall m : (int) . 2 <= m && m < Seq.length (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) -> Unsat0.unsat (Seq.get (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) m) (Type.creusat_trail_trail_Trail_assignments trail)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 97 0 97 75] not result -> Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref)) = Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int cref)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 98 0 98 41] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 99 0 99 55] Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 100 0 100 25] Equisat0.equisat ( * f) ( ^ f) }
-    
-end
-module CreuSat_UnitProp_ExistsNewWatchableLit
-  use mach.int.UInt64
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.Int32
-  use seq.Seq
-  use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model4 with function Model0.model = Model9.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant5 with function Model0.model = Model4.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model3 with function Model0.model = Model8.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant7 with function Model0.model = Model2.model,
-  function Model1.model = Model3.model
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model6 with function Model0.model = Model2.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant6 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant4 with function Model0.model = Model3.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant4.invariant',
-  function Model0.model = Model3.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model2.model,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model1.model = Model3.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model6.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant3 with predicate Invariant0.invariant' = Invariant6.invariant',
-  predicate Invariant1.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant3.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model3.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model2.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Unsat as Unsat0 with function Model0.model = Model4.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model1.model,
-  function Model1.model = Model2.model, function Model2.model = Model3.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model3.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner1 with function Model0.model = Model2.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model3.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model2.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model4.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model2.model,
-  function Model1.model = Model3.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic as ToWatchidxLogic0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant2 with function Model0.model = Model0.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model5.model,
-  function Model1.model = Model4.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model5.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model5.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model7.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model4.model,
-  function Model1.model = Model5.model, predicate Invariant0.invariant' = Invariant3.invariant',
-  function Model2.model = Model7.model, function Model3.model = Model2.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant5.invariant', function Model0.model = Model5.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model7.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model4.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model7.model, function Model1.model = Model5.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_formula_formula
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_watches_watches
-  clone CreuSat_Util_MaxLog as MaxLog0
-  clone CreuSat_Util_Max_Interface as Max0 with function MaxLog0.max_log = MaxLog0.max_log
-  clone CreuSat_Util_MinLog as MinLog0
-  clone CreuSat_Util_Min_Interface as Min0 with function MinLog0.min_log = MinLog0.min_log
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy2
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy1
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = Type.creusat_clause_clause
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model10 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model3.model
-  clone CreuSat_Clause_Impl3_Len_Interface as Len0 with function Model0.model = Model10.model
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = Type.creusat_clause_clause, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model2.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = Type.creusat_clause_clause, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model2.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model11 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy2.modelTy, function Model0.model = Model6.model
-  clone CreuSat_Formula_Impl0_Index_Interface as Index1 with function Model0.model = Model11.model
-  clone CreuSat_UnitProp_CheckAndMoveWatch_Interface as CheckAndMoveWatch0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant2.invariant',
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, function Model0.model = Model2.model,
-  function Model1.model = Model3.model, function Model2.model = Model4.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner, function Model3.model = Model0.model,
-  function ToWatchidxLogic0.to_watchidx_logic = ToWatchidxLogic0.to_watchidx_logic,
-  function Model4.model = Model1.model, predicate Equisat0.equisat = Equisat0.equisat,
-  predicate Unsat0.unsat = Unsat0.unsat, predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg exists_new_watchable_lit [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 101 0 103 9] (f : borrowed (Type.creusat_formula_formula)) (trail : Type.creusat_trail_trail) (watches : borrowed (Type.creusat_watches_watches)) (cref : usize) (j : usize) (lit : Type.creusat_lit_lit) : bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 86 0 86 33] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 87 0 87 38] Invariant1.invariant' trail ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 88 0 88 44] Invariant2.invariant' ( * watches) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 89 0 89 40] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 90 0 90 63] ToWatchidxLogic0.to_watchidx_logic lit < Seq.length (Model0.model (Type.creusat_watches_watches_Watches_watches ( * watches)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 91 0 91 70] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_watches_watches_Watches_watches ( * watches))) (ToWatchidxLogic0.to_watchidx_logic lit))) > UInt64.to_int j}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 92 0 92 44] IndexLogic0.index_logic lit < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 93 0 93 39] UInt64.to_int cref < Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 94 0 94 46] Seq.length (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) >= 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 95 0 95 69] not SatInner0.sat_inner (Seq.get (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) 0) (Model4.model (Type.creusat_trail_trail_Trail_assignments trail))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 86 0 86 33] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 87 0 87 38] Invariant1.invariant' trail ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 88 0 88 44] Invariant2.invariant' ( ^ watches) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 96 0 96 136] not result -> (forall m : (int) . 2 <= m && m < Seq.length (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) -> Unsat0.unsat (Seq.get (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) m) (Type.creusat_trail_trail_Trail_assignments trail)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 97 0 97 75] not result -> Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref)) = Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int cref)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 98 0 98 41] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 99 0 99 55] Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 100 0 100 25] Equisat0.equisat ( * f) ( ^ f) }
-    
-   =
-  var _0 : bool;
-  var f_1 : borrowed (Type.creusat_formula_formula);
-  var trail_2 : Type.creusat_trail_trail;
-  var watches_3 : borrowed (Type.creusat_watches_watches);
-  var cref_4 : usize;
-  var j_5 : usize;
-  var lit_6 : Type.creusat_lit_lit;
-  ghost var old_w_7 : borrowed (Type.creusat_watches_watches);
-  var _8 : ();
-  ghost var old_f_9 : borrowed (Type.creusat_formula_formula);
-  var _10 : ();
-  var clause_len_11 : usize;
-  var _12 : Type.creusat_clause_clause;
-  var _13 : Type.creusat_clause_clause;
-  var _14 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var _15 : usize;
-  var init_search_16 : usize;
-  var _17 : usize;
-  var _18 : usize;
-  var _19 : Type.creusat_clause_clause;
-  var _20 : Type.creusat_formula_formula;
-  var _21 : usize;
-  var _22 : usize;
-  var search_23 : usize;
-  var _24 : ();
-  var _25 : ();
-  var _26 : bool;
-  var _27 : usize;
-  var _28 : usize;
-  var _29 : ();
-  var _30 : bool;
-  var _31 : borrowed (Type.creusat_formula_formula);
-  var _32 : Type.creusat_trail_trail;
-  var _33 : borrowed (Type.creusat_watches_watches);
-  var _34 : usize;
-  var _35 : usize;
-  var _36 : usize;
-  var _37 : Type.creusat_lit_lit;
-  var _38 : ();
-  ghost var old_f2_39 : borrowed (Type.creusat_formula_formula);
-  var _40 : ();
-  var _41 : usize;
-  var _42 : borrowed (Type.creusat_clause_clause);
-  var _43 : borrowed (Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global));
-  var _44 : usize;
-  var _45 : ();
-  var _46 : ();
-  var _47 : ();
-  var _48 : ();
-  var _49 : ();
-  var _50 : ();
-  var _51 : ();
-  var _52 : bool;
-  var _53 : usize;
-  var _54 : usize;
-  var _55 : ();
-  var _56 : bool;
-  var _57 : borrowed (Type.creusat_formula_formula);
-  var _58 : Type.creusat_trail_trail;
-  var _59 : borrowed (Type.creusat_watches_watches);
-  var _60 : usize;
-  var _61 : usize;
-  var _62 : usize;
-  var _63 : Type.creusat_lit_lit;
-  var _64 : ();
-  ghost var old_f2_65 : borrowed (Type.creusat_formula_formula);
-  var _66 : ();
-  var _67 : usize;
-  var _68 : borrowed (Type.creusat_clause_clause);
-  var _69 : borrowed (Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global));
-  var _70 : usize;
-  var _71 : ();
-  var _72 : ();
-  var _73 : ();
-  var _74 : ();
-  var _75 : ();
-  var _76 : ();
-  {
-    f_1 <- f;
-    trail_2 <- trail;
-    watches_3 <- watches;
-    cref_4 <- cref;
-    j_5 <- j;
-    lit_6 <- lit;
-    goto BB0
-  }
-  BB0 {
-    _8 <- ();
-    old_w_7 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 104 16 104 34] watches_3);
-    goto BB1
-  }
-  BB1 {
-    _10 <- ();
-    old_f_9 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 105 16 105 28] f_1);
-    goto BB2
-  }
-  BB2 {
-    _14 <- Type.creusat_formula_formula_Formula_clauses ( * f_1);
-    _15 <- cref_4;
-    _13 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 106 28 106 43] Index0.index _14 _15);
-    goto BB3
-  }
-  BB3 {
-    _12 <- _13;
-    clause_len_11 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 106 28 106 49] Len0.len _12);
-    goto BB4
-  }
-  BB4 {
-    _20 <-  * f_1;
-    _21 <- cref_4;
-    _19 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 107 42 107 49] Index1.index _20 _21);
-    goto BB5
-  }
-  BB5 {
-    _18 <- Type.creusat_clause_clause_Clause_search _19;
-    _22 <- clause_len_11;
-    _17 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 107 32 107 69] Min0.min _18 _22);
-    goto BB6
-  }
-  BB6 {
-    init_search_16 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 107 22 107 73] Max0.max _17 (2 : usize));
-    goto BB7
-  }
-  BB7 {
-    search_23 <- init_search_16;
-    goto BB8
-  }
-  BB8 {
-    invariant search { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 109 4 109 38] UInt64.to_int search_23 >= 2 };
-    invariant f_unchanged { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 110 4 110 42] f_1 = old_f_9 };
-    invariant w_unchanged { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 111 4 111 48] watches_3 = old_w_7 };
-    invariant uns { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 112 4 112 125] forall m : (int) . UInt64.to_int init_search_16 <= m && m < UInt64.to_int search_23 -> Unsat0.unsat (Seq.get (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4))) m) (Type.creusat_trail_trail_Trail_assignments trail_2) };
-    invariant first_not_sat { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 114 4 114 89] not SatInner0.sat_inner (Seq.get (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4))) 0) (Model4.model (Type.creusat_trail_trail_Trail_assignments trail_2)) };
-    _27 <- search_23;
-    _28 <- clause_len_11;
-    _26 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 115 10 115 29] _27 < _28);
-    switch (_26)
-      | False -> goto BB15
-      | _ -> goto BB9
-      end
-  }
-  BB9 {
-    _31 <- borrow_mut ( * f_1);
-    f_1 <- { f_1 with current = ( ^ _31) };
-    _32 <- trail_2;
-    _33 <- borrow_mut ( * watches_3);
-    watches_3 <- { watches_3 with current = ( ^ _33) };
-    _34 <- cref_4;
-    _35 <- j_5;
-    _36 <- search_23;
-    _37 <- lit_6;
-    _30 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 116 11 116 72] CheckAndMoveWatch0.check_and_move_watch _31 _32 _33 _34 _35 _36 _37);
-    goto BB10
-  }
-  BB10 {
-    switch (_30)
-      | False -> goto BB14
-      | _ -> goto BB11
-      end
-  }
-  BB11 {
-    assume { Resolve0.resolve watches_3 };
-    _40 <- ();
-    old_f2_39 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 117 25 117 37] f_1);
-    goto BB12
-  }
-  BB12 {
-    _41 <- search_23;
-    _43 <- borrow_mut (Type.creusat_formula_formula_Formula_clauses ( * f_1));
-    f_1 <- { f_1 with current = (let Type.CreuSat_Formula_Formula a b =  * f_1 in Type.CreuSat_Formula_Formula ( ^ _43) b) };
-    assume { Resolve1.resolve f_1 };
-    _44 <- cref_4;
-    _42 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 118 12 118 27] IndexMut0.index_mut _43 _44);
-    goto BB13
-  }
-  BB13 {
-    _42 <- { _42 with current = (let Type.CreuSat_Clause_Clause a b c d =  * _42 in Type.CreuSat_Clause_Clause a b _41 d) };
-    assume { Resolve2.resolve _42 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 119 12 119 130] forall j : (int) . 0 <= j && j < Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) -> Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) j) = Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * old_f2_39))) j) };
-    _45 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 120 12 120 53] Equisat0.equisat ( * old_f2_39) ( * f_1) };
-    _46 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 121 12 121 59] CrefsInRange0.crefs_in_range (Model5.model (Type.creusat_trail_trail_Trail_trail trail_2)) ( * f_1) };
-    _47 <- ();
-    _0 <- true;
-    goto BB24
-  }
-  BB14 {
-    _29 <- ();
-    search_23 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 124 8 124 19] search_23 + (1 : usize));
-    _25 <- ();
-    goto BB8
-  }
-  BB15 {
-    _24 <- ();
-    search_23 <- (2 : usize);
-    goto BB16
-  }
-  BB16 {
-    invariant search_bound { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 127 4 127 70] 2 <= UInt64.to_int search_23 && UInt64.to_int search_23 <= UInt64.to_int clause_len_11 };
-    invariant f_unchanged { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 128 4 128 42] f_1 = old_f_9 };
-    invariant w_unchanged { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 129 4 129 48] watches_3 = old_w_7 };
-    invariant uns { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 130 4 130 131] forall m : (int) . UInt64.to_int init_search_16 <= m && m < UInt64.to_int clause_len_11 -> Unsat0.unsat (Seq.get (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4))) m) (Type.creusat_trail_trail_Trail_assignments trail_2) };
-    invariant uns2 { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 131 4 131 117] forall m : (int) . 2 <= m && m < UInt64.to_int search_23 -> Unsat0.unsat (Seq.get (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4))) m) (Type.creusat_trail_trail_Trail_assignments trail_2) };
-    invariant first_not_sat { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 133 4 133 89] not SatInner0.sat_inner (Seq.get (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4))) 0) (Model4.model (Type.creusat_trail_trail_Trail_assignments trail_2)) };
-    _53 <- search_23;
-    _54 <- init_search_16;
-    _52 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 134 10 134 30] _53 < _54);
-    switch (_52)
-      | False -> goto BB23
-      | _ -> goto BB17
-      end
-  }
-  BB17 {
-    _57 <- borrow_mut ( * f_1);
-    f_1 <- { f_1 with current = ( ^ _57) };
-    _58 <- trail_2;
-    _59 <- borrow_mut ( * watches_3);
-    watches_3 <- { watches_3 with current = ( ^ _59) };
-    _60 <- cref_4;
-    _61 <- j_5;
-    _62 <- search_23;
-    _63 <- lit_6;
-    _56 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 135 11 135 72] CheckAndMoveWatch0.check_and_move_watch _57 _58 _59 _60 _61 _62 _63);
-    goto BB18
-  }
-  BB18 {
-    switch (_56)
-      | False -> goto BB22
-      | _ -> goto BB19
-      end
-  }
-  BB19 {
-    assume { Resolve0.resolve watches_3 };
-    _66 <- ();
-    old_f2_65 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 136 25 136 37] f_1);
-    goto BB20
-  }
-  BB20 {
-    _67 <- search_23;
-    _69 <- borrow_mut (Type.creusat_formula_formula_Formula_clauses ( * f_1));
-    f_1 <- { f_1 with current = (let Type.CreuSat_Formula_Formula a b =  * f_1 in Type.CreuSat_Formula_Formula ( ^ _69) b) };
-    assume { Resolve1.resolve f_1 };
-    _70 <- cref_4;
-    _68 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 137 12 137 27] IndexMut0.index_mut _69 _70);
-    goto BB21
-  }
-  BB21 {
-    _68 <- { _68 with current = (let Type.CreuSat_Clause_Clause a b c d =  * _68 in Type.CreuSat_Clause_Clause a b _67 d) };
-    assume { Resolve2.resolve _68 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 138 12 138 130] forall j : (int) . 0 <= j && j < Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) -> Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) j) = Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * old_f2_65))) j) };
-    _71 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 139 12 139 53] Equisat0.equisat ( * old_f2_65) ( * f_1) };
-    _72 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 140 12 140 59] CrefsInRange0.crefs_in_range (Model5.model (Type.creusat_trail_trail_Trail_trail trail_2)) ( * f_1) };
-    _73 <- ();
-    _0 <- true;
-    goto BB24
-  }
-  BB22 {
-    _55 <- ();
-    search_23 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 143 8 143 19] search_23 + (1 : usize));
-    _25 <- ();
-    goto BB16
-  }
-  BB23 {
-    assume { Resolve1.resolve f_1 };
-    assume { Resolve0.resolve watches_3 };
-    _51 <- ();
-    _0 <- false;
-    goto BB25
-  }
-  BB24 {
-    goto BB25
-  }
-  BB25 {
-    return _0
-  }
-  
-end
-module CreuSat_UnitProp_PropagateLitWithRegardToClause_Interface
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.UInt64
-  use prelude.Prelude
-  use mach.int.Int32
-  use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
-  clone CreuSat_Logic_LogicClause_Impl2_Unsat_Interface as Unsat1
-  clone CreuSat_Logic_LogicFormula_Impl1_Unsat_Interface as Unsat0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model4 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model3
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model2 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic_Interface as ToWatchidxLogic0
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val propagate_lit_with_regard_to_clause [@cfg:stackify] (f : borrowed (Type.creusat_formula_formula)) (trail : borrowed (Type.creusat_trail_trail)) (watches : borrowed (Type.creusat_watches_watches)) (cref : usize) (lit : Type.creusat_lit_lit) (j : usize) : Type.core_result_result bool usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 149 0 149 33] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 150 0 150 42] Invariant1.invariant' ( * trail) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 151 0 151 44] Invariant2.invariant' ( * watches) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 152 0 152 63] ToWatchidxLogic0.to_watchidx_logic lit < Seq.length (Model0.model (Type.creusat_watches_watches_Watches_watches ( * watches)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 153 0 153 70] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_watches_watches_Watches_watches ( * watches))) (ToWatchidxLogic0.to_watchidx_logic lit))) > UInt64.to_int j}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 154 0 154 40] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 155 0 155 44] IndexLogic0.index_logic lit < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 156 0 156 39] UInt64.to_int cref < Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 157 0 157 46] Seq.length (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) >= 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 149 0 149 33] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 150 0 150 42] Invariant1.invariant' ( ^ trail) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 151 0 151 44] Invariant2.invariant' ( ^ watches) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 158 0 158 49] Type.creusat_trail_trail_Trail_decisions ( ^ trail) = Type.creusat_trail_trail_Trail_decisions ( * trail) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 159 0 163 3] match (result) with
-      | Type.Core_Result_Result_Ok (True) -> true
-      | Type.Core_Result_Result_Ok (False) -> Seq.length (Model4.model (Type.creusat_trail_trail_Trail_trail ( ^ trail))) = Seq.length (Model4.model (Type.creusat_trail_trail_Trail_trail ( * trail)))
-      | Type.Core_Result_Result_Err n -> UInt64.to_int n < Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) && Unsat0.unsat ( ^ f) (Type.creusat_trail_trail_Trail_assignments ( ^ trail)) && Unsat1.unsat (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int n)) (Type.creusat_trail_trail_Trail_assignments ( ^ trail))
-      end }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 164 0 164 41] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 165 0 165 25] Equisat0.equisat ( * f) ( ^ f) }
-    
-end
-module CreuSat_UnitProp_PropagateLitWithRegardToClause
-  use seq.Seq
-  use mach.int.Int
-  use mach.int.UInt64
-  use prelude.Prelude
-  use mach.int.Int32
-  use Type
-  use seq.Permut
-  use prelude.UInt8
-  clone CreuSat_Logic_Logic_Unset as Unset1
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset1.unset
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model8 with function Model0.model = Model9.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant4 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = Type.creusat_clause_clause
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.creusat_clause_clause
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model3 with function Model0.model = Model7.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant7 with function Model0.model = Model2.model,
-  function Model1.model = Model3.model
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model5 with function Model0.model = Model2.model
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = Type.creusat_clause_clause, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model2.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant6 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant3 with function Model0.model = Model3.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant3.invariant',
-  function Model0.model = Model3.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model2.model,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model1.model = Model3.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model5.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicClause_Impl2_VarsInRange as VarsInRange0 with function Model0.model = Model3.model,
-  predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant5 with predicate Invariant0.invariant' = Invariant6.invariant',
-  predicate Invariant1.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner2 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner1 with function Model0.model = Model3.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner0 with function Model0.model = Model2.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model8.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model2.model,
-  function Model1.model = Model3.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner2 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model3.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner2.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner2.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model2.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToLit as ClausePostWithRegardsToLit0 with function Model0.model = Model8.model,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicClause_Impl1_PostUnitInner as PostUnitInner0 with function Model0.model = Model3.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner, predicate UnsatInner0.unsat_inner = UnsatInner2.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl1_PostUnit as PostUnit0 with function Model0.model = Model8.model,
-  predicate PostUnitInner0.post_unit_inner = PostUnitInner0.post_unit_inner
-  clone CreuSat_Logic_LogicClause_Impl2_UnsatInner as UnsatInner1 with function Model0.model = Model3.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner2.unsat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_UnsatInner as UnsatInner0 with function Model0.model = Model2.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Unsat as Unsat0 with function Model0.model = Model8.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Unsat as Unsat1 with function Model0.model = Model8.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model3.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model2.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicLit_Impl1_UnsetInner as UnsetInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_UnitInner as UnitInner0 with predicate VarsInRange0.vars_in_range = VarsInRange0.vars_in_range,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner, function Model0.model = Model3.model,
-  predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Unit as Unit0 with function Model0.model = Model8.model,
-  predicate UnitInner0.unit_inner = UnitInner0.unit_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Unset as Unset0 with function Model0.model = Model8.model,
-  predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model1.model,
-  function Model1.model = Model2.model, function Model2.model = Model3.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic as ToWatchidxLogic0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant2 with function Model0.model = Model0.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model4.model,
-  function Model1.model = Model8.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model4.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model4.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model6.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model8.model,
-  function Model1.model = Model4.model, predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model2.model = Model6.model, function Model3.model = Model2.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model0.model = Model4.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model6.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model8.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model6.model, function Model1.model = Model4.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve4 with type t = Type.creusat_watches_watcher
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy5 with type t = Type.creusat_watches_watcher
-  clone Core_Slice_Index_Impl2_Output as Output2 with type t = Type.creusat_watches_watcher
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere1 with type t = Type.creusat_watches_watcher
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue2 with type t = Type.creusat_watches_watcher
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds2 with type t = Type.creusat_watches_watcher
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve3 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy4 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone Core_Slice_Index_Impl2_Output as Output1 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue1 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds1 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_watches_watches
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_trail_trail
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_formula_formula
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy3
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy2
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy1
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model12 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy3.modelTy, function Model0.model = Model8.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model11 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy2.modelTy, function Model0.model = Model3.model
-  clone CreuSat_Clause_Impl0_Index_Interface as Index2 with function Model0.model = Model11.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model10 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model5.model
-  clone CreuSat_Formula_Impl0_Index_Interface as Index1 with function Model0.model = Model10.model
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut1 with type t = Type.creusat_watches_watcher, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model1.model,
-  predicate InBounds0.in_bounds = InBounds2.in_bounds, predicate HasValue0.has_value = HasValue2.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere1.resolve_elswhere, type Output0.output = Output2.output
-  clone CreuSat_Lit_Impl1_LitSat_Interface as LitSat0 with function Model0.model = Model12.model,
-  predicate Invariant0.invariant' = Invariant6.invariant', predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicLit_Impl1_Unsat as Unsat2 with function Model0.model = Model8.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner2.unsat_inner
-  clone CreuSat_Lit_Impl1_LitUnset_Interface as LitUnset0 with function Model0.model = Model12.model,
-  predicate Invariant0.invariant' = Invariant6.invariant', predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Lit_Impl1_ToWatchidx_Interface as ToWatchidx0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function ToWatchidxLogic0.to_watchidx_logic = ToWatchidxLogic0.to_watchidx_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type i = usize, type a = Type.alloc_alloc_global, function Model0.model = Model0.model,
-  predicate InBounds0.in_bounds = InBounds1.in_bounds, predicate HasValue0.has_value = HasValue1.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output1.output
-  clone CreuSat_Logic_LogicLit_Impl1_IdxInTrail as IdxInTrail0 with function Model0.model = Model4.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Trail_Impl0_DecisionLevel_Interface as DecisionLevel0 with function Model0.model = Model6.model
-  clone CreuSat_UnitProp_Swap_Interface as Swap0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant2.invariant',
-  function Model0.model = Model2.model, function Model1.model = Model3.model, function Model2.model = Model8.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner, predicate Equisat0.equisat = Equisat0.equisat,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_Trail_Impl0_EnqAssignment_Interface as EnqAssignment0 with predicate Invariant0.invariant' = Invariant1.invariant',
-  predicate Invariant1.invariant' = Invariant0.invariant', predicate Invariant2.invariant' = Invariant6.invariant',
-  predicate Invariant3.invariant' = Invariant5.invariant', function Model0.model = Model2.model,
-  function Model1.model = Model3.model, predicate Unset0.unset = Unset0.unset, predicate Unsat0.unsat = Unsat2.unsat,
-  predicate IdxInTrail0.idx_in_trail = IdxInTrail0.idx_in_trail, function Model2.model = Model8.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate Unset1.unset = Unset1.unset,
-  function Model3.model = Model4.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat,
-  predicate ClausePostWithRegardsToLit0.clause_post_with_regards_to_lit = ClausePostWithRegardsToLit0.clause_post_with_regards_to_lit,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_UnitProp_ExistsNewWatchableLit_Interface as ExistsNewWatchableLit0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant2.invariant',
-  function ToWatchidxLogic0.to_watchidx_logic = ToWatchidxLogic0.to_watchidx_logic,
-  function Model0.model = Model0.model, function Model1.model = Model1.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, function Model2.model = Model2.model,
-  function Model3.model = Model3.model, function Model4.model = Model8.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner, predicate Unsat0.unsat = Unsat2.unsat,
-  predicate Equisat0.equisat = Equisat0.equisat,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg propagate_lit_with_regard_to_clause [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 166 0 168 24] (f : borrowed (Type.creusat_formula_formula)) (trail : borrowed (Type.creusat_trail_trail)) (watches : borrowed (Type.creusat_watches_watches)) (cref : usize) (lit : Type.creusat_lit_lit) (j : usize) : Type.core_result_result bool usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 149 0 149 33] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 150 0 150 42] Invariant1.invariant' ( * trail) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 151 0 151 44] Invariant2.invariant' ( * watches) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 152 0 152 63] ToWatchidxLogic0.to_watchidx_logic lit < Seq.length (Model0.model (Type.creusat_watches_watches_Watches_watches ( * watches)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 153 0 153 70] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_watches_watches_Watches_watches ( * watches))) (ToWatchidxLogic0.to_watchidx_logic lit))) > UInt64.to_int j}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 154 0 154 40] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 155 0 155 44] IndexLogic0.index_logic lit < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 156 0 156 39] UInt64.to_int cref < Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 157 0 157 46] Seq.length (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) >= 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 149 0 149 33] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 150 0 150 42] Invariant1.invariant' ( ^ trail) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 151 0 151 44] Invariant2.invariant' ( ^ watches) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 158 0 158 49] Type.creusat_trail_trail_Trail_decisions ( ^ trail) = Type.creusat_trail_trail_Trail_decisions ( * trail) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 159 0 163 3] match (result) with
-      | Type.Core_Result_Result_Ok (True) -> true
-      | Type.Core_Result_Result_Ok (False) -> Seq.length (Model4.model (Type.creusat_trail_trail_Trail_trail ( ^ trail))) = Seq.length (Model4.model (Type.creusat_trail_trail_Trail_trail ( * trail)))
-      | Type.Core_Result_Result_Err n -> UInt64.to_int n < Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) && Unsat0.unsat ( ^ f) (Type.creusat_trail_trail_Trail_assignments ( ^ trail)) && Unsat1.unsat (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int n)) (Type.creusat_trail_trail_Trail_assignments ( ^ trail))
-      end }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 164 0 164 41] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 165 0 165 25] Equisat0.equisat ( * f) ( ^ f) }
-    
-   =
-  var _0 : Type.core_result_result bool usize;
-  var f_1 : borrowed (Type.creusat_formula_formula);
-  var trail_2 : borrowed (Type.creusat_trail_trail);
-  var watches_3 : borrowed (Type.creusat_watches_watches);
-  var cref_4 : usize;
-  var lit_5 : Type.creusat_lit_lit;
-  var j_6 : usize;
-  ghost var old_w_7 : borrowed (Type.creusat_watches_watches);
-  var _8 : ();
-  var clause_9 : Type.creusat_clause_clause;
-  var _10 : Type.creusat_clause_clause;
-  var _11 : Type.creusat_formula_formula;
-  var _12 : usize;
-  var first_lit_13 : Type.creusat_lit_lit;
-  var _14 : Type.creusat_lit_lit;
-  var _15 : Type.creusat_clause_clause;
-  var _16 : ();
-  var _17 : bool;
-  var _18 : Type.creusat_lit_lit;
-  var _19 : Type.creusat_assignments_assignments;
-  var _20 : Type.creusat_assignments_assignments;
-  var _21 : ();
-  var _22 : ();
-  var _23 : ();
-  var _24 : Type.creusat_lit_lit;
-  var _25 : borrowed (Type.creusat_watches_watcher);
-  var _26 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _27 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _28 : borrowed (Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global));
-  var _29 : usize;
-  var _30 : Type.creusat_lit_lit;
-  var _31 : usize;
-  var second_lit_32 : Type.creusat_lit_lit;
-  var _33 : Type.creusat_lit_lit;
-  var _34 : Type.creusat_clause_clause;
-  var _35 : ();
-  var _36 : bool;
-  var _37 : Type.creusat_lit_lit;
-  var _38 : Type.creusat_assignments_assignments;
-  var _39 : Type.creusat_assignments_assignments;
-  var _40 : ();
-  var _41 : ();
-  var _42 : ();
-  var _43 : Type.creusat_lit_lit;
-  var _44 : borrowed (Type.creusat_watches_watcher);
-  var _45 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _46 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _47 : borrowed (Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global));
-  var _48 : usize;
-  var _49 : Type.creusat_lit_lit;
-  var _50 : usize;
-  var _51 : ();
-  var _52 : bool;
-  var _53 : borrowed (Type.creusat_formula_formula);
-  var _54 : Type.creusat_trail_trail;
-  var _55 : borrowed (Type.creusat_watches_watches);
-  var _56 : usize;
-  var _57 : usize;
-  var _58 : Type.creusat_lit_lit;
-  var _59 : ();
-  var _60 : ();
-  var _61 : bool;
-  var _62 : Type.creusat_lit_lit;
-  var _63 : Type.creusat_assignments_assignments;
-  var _64 : Type.creusat_assignments_assignments;
-  var _65 : ();
-  var _66 : ();
-  var _67 : bool;
-  var _68 : Type.creusat_lit_lit;
-  var _69 : Type.creusat_assignments_assignments;
-  var _70 : Type.creusat_assignments_assignments;
-  var _71 : ();
-  var _72 : ();
-  var _73 : ();
-  var _74 : ();
-  var step_75 : Type.creusat_trail_step;
-  var _76 : Type.creusat_lit_lit;
-  var _77 : usize;
-  var _78 : Type.creusat_trail_trail;
-  var _79 : Type.creusat_trail_reason;
-  var _80 : usize;
-  var _81 : ();
-  var _82 : borrowed (Type.creusat_trail_trail);
-  var _83 : Type.creusat_trail_step;
-  var _84 : Type.creusat_formula_formula;
-  var _85 : ();
-  var _86 : ();
-  var _87 : bool;
-  var _88 : Type.creusat_lit_lit;
-  var _89 : Type.creusat_assignments_assignments;
-  var _90 : Type.creusat_assignments_assignments;
-  var _91 : ();
-  var step_92 : Type.creusat_trail_step;
-  var _93 : Type.creusat_lit_lit;
-  var _94 : usize;
-  var _95 : Type.creusat_trail_trail;
-  var _96 : Type.creusat_trail_reason;
-  var _97 : usize;
-  ghost var old_c_98 : Type.creusat_clause_clause;
-  var _99 : ();
-  var _100 : ();
-  var _101 : ();
-  var _102 : borrowed (Type.creusat_formula_formula);
-  var _103 : Type.creusat_trail_trail;
-  var _104 : Type.creusat_watches_watches;
-  var _105 : usize;
-  var _106 : ();
-  var _107 : ();
-  var _108 : ();
-  var _109 : borrowed (Type.creusat_trail_trail);
-  var _110 : Type.creusat_trail_step;
-  var _111 : Type.creusat_formula_formula;
-  var _112 : ();
-  var _113 : ();
-  var _114 : ();
-  var _115 : usize;
-  {
-    f_1 <- f;
-    trail_2 <- trail;
-    watches_3 <- watches;
-    cref_4 <- cref;
-    lit_5 <- lit;
-    j_6 <- j;
-    goto BB0
-  }
-  BB0 {
-    _8 <- ();
-    old_w_7 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 169 16 169 34] watches_3);
-    goto BB1
-  }
-  BB1 {
-    _11 <-  * f_1;
-    _12 <- cref_4;
-    _10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 170 18 170 25] Index1.index _11 _12);
-    goto BB2
-  }
-  BB2 {
-    clause_9 <- _10;
-    _15 <- clause_9;
-    _14 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 171 20 171 29] Index2.index _15 (0 : usize));
-    goto BB3
-  }
-  BB3 {
-    first_lit_13 <- _14;
-    _18 <- first_lit_13;
-    _20 <- Type.creusat_trail_trail_Trail_assignments ( * trail_2);
-    _19 <- _20;
-    _17 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 172 7 172 44] LitSat0.lit_sat _18 _19);
-    goto BB4
-  }
-  BB4 {
-    switch (_17)
-      | False -> goto BB9
-      | _ -> goto BB5
-      end
-  }
-  BB5 {
-    assume { Resolve0.resolve f_1 };
-    assume { Resolve1.resolve trail_2 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 174 8 174 49]  ^ watches_3 =  ^ old_w_7 };
-    _22 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 175 8 175 60] IndexLogic0.index_logic first_lit_13 < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f_1)) };
-    _23 <- ();
-    _24 <- first_lit_13;
-    _28 <- borrow_mut (Type.creusat_watches_watches_Watches_watches ( * watches_3));
-    watches_3 <- { watches_3 with current = (let Type.CreuSat_Watches_Watches a =  * watches_3 in Type.CreuSat_Watches_Watches ( ^ _28)) };
-    assume { Resolve2.resolve watches_3 };
-    _30 <- lit_5;
-    _29 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 176 24 176 41] ToWatchidx0.to_watchidx _30);
-    goto BB6
-  }
-  BB6 {
-    _27 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 176 8 176 42] IndexMut0.index_mut _28 _29);
-    goto BB7
-  }
-  BB7 {
-    _26 <- borrow_mut ( * _27);
-    _27 <- { _27 with current = ( ^ _26) };
-    assume { Resolve3.resolve _27 };
-    _31 <- j_6;
-    _25 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 176 8 176 45] IndexMut1.index_mut _26 _31);
-    goto BB8
-  }
-  BB8 {
-    _25 <- { _25 with current = (let Type.CreuSat_Watches_Watcher a b =  * _25 in Type.CreuSat_Watches_Watcher a _24) };
-    assume { Resolve4.resolve _25 };
-    _0 <- Type.Core_Result_Result_Ok true;
-    goto BB38
-  }
-  BB9 {
-    _16 <- ();
-    _34 <- clause_9;
-    _33 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 179 21 179 30] Index2.index _34 (1 : usize));
-    goto BB10
-  }
-  BB10 {
-    second_lit_32 <- _33;
-    _37 <- second_lit_32;
-    _39 <- Type.creusat_trail_trail_Trail_assignments ( * trail_2);
-    _38 <- _39;
-    _36 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 180 7 180 45] LitSat0.lit_sat _37 _38);
-    goto BB11
-  }
-  BB11 {
-    switch (_36)
-      | False -> goto BB16
-      | _ -> goto BB12
-      end
-  }
-  BB12 {
-    assume { Resolve0.resolve f_1 };
-    assume { Resolve1.resolve trail_2 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 182 8 182 49]  ^ watches_3 =  ^ old_w_7 };
-    _41 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 183 8 183 61] IndexLogic0.index_logic second_lit_32 < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f_1)) };
-    _42 <- ();
-    _43 <- second_lit_32;
-    _47 <- borrow_mut (Type.creusat_watches_watches_Watches_watches ( * watches_3));
-    watches_3 <- { watches_3 with current = (let Type.CreuSat_Watches_Watches a =  * watches_3 in Type.CreuSat_Watches_Watches ( ^ _47)) };
-    assume { Resolve2.resolve watches_3 };
-    _49 <- lit_5;
-    _48 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 184 24 184 41] ToWatchidx0.to_watchidx _49);
-    goto BB13
-  }
-  BB13 {
-    _46 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 184 8 184 42] IndexMut0.index_mut _47 _48);
-    goto BB14
-  }
-  BB14 {
-    _45 <- borrow_mut ( * _46);
-    _46 <- { _46 with current = ( ^ _45) };
-    assume { Resolve3.resolve _46 };
-    _50 <- j_6;
-    _44 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 184 8 184 45] IndexMut1.index_mut _45 _50);
-    goto BB15
-  }
-  BB15 {
-    _44 <- { _44 with current = (let Type.CreuSat_Watches_Watcher a b =  * _44 in Type.CreuSat_Watches_Watcher a _43) };
-    assume { Resolve4.resolve _44 };
-    _0 <- Type.Core_Result_Result_Ok true;
-    goto BB37
-  }
-  BB16 {
-    _35 <- ();
-    _53 <- borrow_mut ( * f_1);
-    f_1 <- { f_1 with current = ( ^ _53) };
-    _54 <-  * trail_2;
-    _55 <- borrow_mut ( * watches_3);
-    watches_3 <- { watches_3 with current = ( ^ _55) };
-    _56 <- cref_4;
-    _57 <- j_6;
-    _58 <- lit_5;
-    _52 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 188 7 188 64] ExistsNewWatchableLit0.exists_new_watchable_lit _53 _54 _55 _56 _57 _58);
-    goto BB17
-  }
-  BB17 {
-    switch (_52)
-      | False -> goto BB19
-      | _ -> goto BB18
-      end
-  }
-  BB18 {
-    assume { Resolve0.resolve f_1 };
-    assume { Resolve1.resolve trail_2 };
-    assume { Resolve2.resolve watches_3 };
-    _0 <- Type.Core_Result_Result_Ok false;
-    goto BB37
-  }
-  BB19 {
-    _51 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 192 4 192 175] Unsat1.unsat (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4)) (Type.creusat_trail_trail_Trail_assignments ( * trail_2)) || Unset0.unset (Seq.get (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4))) 0) (Type.creusat_trail_trail_Trail_assignments ( * trail_2)) || Unset0.unset (Seq.get (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4))) 1) (Type.creusat_trail_trail_Trail_assignments ( * trail_2)) };
-    _60 <- ();
-    _62 <- first_lit_13;
-    _64 <- Type.creusat_trail_trail_Trail_assignments ( * trail_2);
-    _63 <- _64;
-    _61 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 193 7 193 46] LitUnset0.lit_unset _62 _63);
-    goto BB20
-  }
-  BB20 {
-    switch (_61)
-      | False -> goto BB27
-      | _ -> goto BB21
-      end
-  }
-  BB21 {
-    assume { Resolve2.resolve watches_3 };
-    _68 <- second_lit_32;
-    _70 <- Type.creusat_trail_trail_Trail_assignments ( * trail_2);
-    _69 <- _70;
-    _67 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 196 11 196 51] LitUnset0.lit_unset _68 _69);
-    goto BB22
-  }
-  BB22 {
-    switch (_67)
-      | False -> goto BB24
-      | _ -> goto BB23
-      end
-  }
-  BB23 {
-    assume { Resolve0.resolve f_1 };
-    assume { Resolve1.resolve trail_2 };
-    _0 <- Type.Core_Result_Result_Ok true;
-    goto BB36
-  }
-  BB24 {
-    _66 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 199 8 199 42] Invariant1.invariant' ( * trail_2) ( * f_1) };
-    _72 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 200 8 200 68] not Unsat1.unsat (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4)) (Type.creusat_trail_trail_Trail_assignments ( * trail_2)) };
-    _73 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 201 8 201 66] Unit0.unit (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4)) (Type.creusat_trail_trail_Trail_assignments ( * trail_2)) };
-    _74 <- ();
-    _76 <- first_lit_13;
-    _78 <-  * trail_2;
-    _77 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 205 28 205 50] DecisionLevel0.decision_level _78);
-    goto BB25
-  }
-  BB25 {
-    _80 <- cref_4;
-    _79 <- Type.CreuSat_Trail_Reason_Long _80;
-    step_75 <- Type.CreuSat_Trail_Step _76 _77 _79;
-    _82 <- borrow_mut ( * trail_2);
-    trail_2 <- { trail_2 with current = ( ^ _82) };
-    _83 <- step_75;
-    _84 <-  * f_1;
-    assume { Resolve0.resolve f_1 };
-    _81 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 209 8 209 37] EnqAssignment0.enq_assignment _82 _83 _84);
-    goto BB26
-  }
-  BB26 {
-    assume { Resolve1.resolve trail_2 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 210 8 210 81] PostUnit0.post_unit (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4)) (Type.creusat_trail_trail_Trail_assignments ( * trail_2)) && true };
-    _85 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 211 8 211 107] ClausePostWithRegardsToLit0.clause_post_with_regards_to_lit (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4)) (Type.creusat_trail_trail_Trail_assignments ( * trail_2)) first_lit_13 };
-    _86 <- ();
-    _0 <- Type.Core_Result_Result_Ok true;
-    goto BB36
-  }
-  BB27 {
-    _88 <- second_lit_32;
-    _90 <- Type.creusat_trail_trail_Trail_assignments ( * trail_2);
-    _89 <- _90;
-    _87 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 213 14 213 54] LitUnset0.lit_unset _88 _89);
-    goto BB28
-  }
-  BB28 {
-    switch (_87)
-      | False -> goto BB34
-      | _ -> goto BB29
-      end
-  }
-  BB29 {
-    _93 <- second_lit_32;
-    _95 <-  * trail_2;
-    _94 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 214 59 214 81] DecisionLevel0.decision_level _95);
-    goto BB30
-  }
-  BB30 {
-    _97 <- cref_4;
-    _96 <- Type.CreuSat_Trail_Reason_Long _97;
-    step_92 <- Type.CreuSat_Trail_Step _93 _94 _96;
-    _99 <- ();
-    old_c_98 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 215 20 215 46] Index0.index (Type.creusat_formula_formula_Formula_clauses ( * f_1)) cref_4);
-    goto BB31
-  }
-  BB31 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 216 8 216 73] Unset0.unset (Seq.get (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4))) 1) (Type.creusat_trail_trail_Trail_assignments ( * trail_2)) };
-    _100 <- ();
-    _102 <- borrow_mut ( * f_1);
-    f_1 <- { f_1 with current = ( ^ _102) };
-    _103 <-  * trail_2;
-    _104 <-  * watches_3;
-    assume { Resolve2.resolve watches_3 };
-    _105 <- cref_4;
-    _101 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 217 8 217 43] Swap0.swap _102 _103 _104 _105 (0 : usize) (1 : usize));
-    goto BB32
-  }
-  BB32 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 218 8 218 68] Permut.exchange (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4))) (Model3.model old_c_98) 0 1 };
-    _106 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 219 8 219 73] Unset0.unset (Seq.get (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4))) 0) (Type.creusat_trail_trail_Trail_assignments ( * trail_2)) };
-    _107 <- ();
-    _109 <- borrow_mut ( * trail_2);
-    trail_2 <- { trail_2 with current = ( ^ _109) };
-    _110 <- step_92;
-    _111 <-  * f_1;
-    assume { Resolve0.resolve f_1 };
-    _108 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 220 8 220 37] EnqAssignment0.enq_assignment _109 _110 _111);
-    goto BB33
-  }
-  BB33 {
-    assume { Resolve1.resolve trail_2 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 221 8 221 73] PostUnit0.post_unit (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4)) (Type.creusat_trail_trail_Trail_assignments ( * trail_2)) };
-    _112 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 222 8 222 108] ClausePostWithRegardsToLit0.clause_post_with_regards_to_lit (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f_1))) (UInt64.to_int cref_4)) (Type.creusat_trail_trail_Trail_assignments ( * trail_2)) second_lit_32 };
-    _113 <- ();
-    _0 <- Type.Core_Result_Result_Ok true;
-    goto BB35
-  }
-  BB34 {
-    assume { Resolve0.resolve f_1 };
-    assume { Resolve1.resolve trail_2 };
-    assume { Resolve2.resolve watches_3 };
-    _115 <- cref_4;
-    _0 <- Type.Core_Result_Result_Err _115;
-    goto BB35
-  }
-  BB35 {
-    goto BB36
-  }
-  BB36 {
-    goto BB37
-  }
-  BB37 {
-    goto BB38
-  }
-  BB38 {
-    return _0
-  }
-  
+  predicate post_unit_inner (self : Type.creusat_clause_clause) (a : Seq.seq uint8)
 end
-module CreuSat_UnitProp_PropagateLiteral_Interface
-  use mach.int.UInt64
+module CreuSat_Logic_LogicClause_Impl1_PostUnitInner
+  use Type
+  use seq.Seq
   use mach.int.Int
   use prelude.Prelude
+  use prelude.UInt8
   use mach.int.Int32
-  use Type
-  use seq.Seq
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
-  clone CreuSat_Logic_LogicClause_Impl2_Unsat_Interface as Unsat1
-  clone CreuSat_Logic_LogicFormula_Impl1_Unsat_Interface as Unsat0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val propagate_literal [@cfg:stackify] (f : borrowed (Type.creusat_formula_formula)) (trail : borrowed (Type.creusat_trail_trail)) (watches : borrowed (Type.creusat_watches_watches)) (lit : Type.creusat_lit_lit) : Type.core_result_result () usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 230 0 230 33] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 231 0 231 42] Invariant1.invariant' ( * trail) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 232 0 232 44] Invariant2.invariant' ( * watches) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 233 0 233 40] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 234 0 234 44] IndexLogic0.index_logic lit < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 230 0 230 33] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 231 0 231 42] Invariant1.invariant' ( ^ trail) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 232 0 232 44] Invariant2.invariant' ( ^ watches) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 235 0 238 3] match (result) with
-      | Type.Core_Result_Result_Ok () -> true
-      | Type.Core_Result_Result_Err n -> UInt64.to_int n < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) && Unsat0.unsat ( ^ f) (Type.creusat_trail_trail_Trail_assignments ( ^ trail)) && Unsat1.unsat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int n)) (Type.creusat_trail_trail_Trail_assignments ( ^ trail))
-      end }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 239 0 239 41] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 240 0 240 25] Equisat0.equisat ( * f) ( ^ f) }
+  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner_Interface as UnsatInner0
+  clone CreuSat_Logic_LogicLit_Impl1_SatInner_Interface as SatInner0
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
+  predicate post_unit_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 56 4 56 63] (self : Type.creusat_clause_clause) (a : Seq.seq uint8)
     
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 57 8 61 9] exists i : (int) . 0 <= i /\ i < Seq.length (Model0.model self) /\ SatInner0.sat_inner (Seq.get (Model0.model self) i) a /\ (forall j : (int) . 0 <= j /\ j < Seq.length (Model0.model self) /\ j <> i -> UnsatInner0.unsat_inner (Seq.get (Model0.model self) j) a)
 end
-module CreuSat_UnitProp_PropagateLiteral
-  use mach.int.UInt64
+module CreuSat_Logic_LogicClause_Impl1_NoUnsetInner_Interface
+  use Type
+  use seq.Seq
   use mach.int.Int
   use prelude.Prelude
-  use mach.int.Int32
+  use prelude.UInt8
+  predicate no_unset_inner (self : Type.creusat_clause_clause) (a : Seq.seq uint8)
+end
+module CreuSat_Logic_LogicClause_Impl1_NoUnsetInner
   use Type
   use seq.Seq
+  use mach.int.Int
+  use prelude.Prelude
   use prelude.UInt8
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model6 with function Model0.model = Model9.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model5 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant4 with function Model0.model = Model5.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant7 with function Model0.model = Model0.model,
-  function Model1.model = Model6.model
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model3 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model6.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner0 with function Model0.model = Model0.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model5.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model0.model,
-  function Model1.model = Model6.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant6 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant3 with function Model0.model = Model6.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant3.invariant',
-  function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model0.model,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model1.model = Model6.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model3.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant5 with predicate Invariant0.invariant' = Invariant6.invariant',
-  predicate Invariant1.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner2 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner1.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner2.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicClause_Impl2_UnsatInner as UnsatInner1 with function Model0.model = Model6.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner2.unsat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_UnsatInner as UnsatInner0 with function Model0.model = Model0.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Unsat as Unsat0 with function Model0.model = Model5.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Unsat as Unsat1 with function Model0.model = Model5.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model7.model,
-  function Model1.model = Model0.model, function Model2.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant2 with function Model0.model = Model1.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model4.model,
-  function Model1.model = Model5.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model4.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model4.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model2.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model5.model,
-  function Model1.model = Model4.model, predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model2.model = Model2.model, function Model3.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model0.model = Model4.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model2.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model5.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model2.model, function Model1.model = Model4.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  use mach.int.Int64
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_watches_watches
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_trail_trail
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_formula_formula
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy2
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = Type.creusat_watches_watcher
-  clone Core_Slice_Index_Impl2_Output as Output1 with type t = Type.creusat_watches_watcher
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue1 with type t = Type.creusat_watches_watcher
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds1 with type t = Type.creusat_watches_watcher
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model10 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy2.modelTy, function Model0.model = Model5.model
-  clone Alloc_Vec_Impl16_Index_Interface as Index1 with type t = Type.creusat_watches_watcher, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model7.model,
-  predicate InBounds0.in_bounds = InBounds1.in_bounds, predicate HasValue0.has_value = HasValue1.has_value,
-  type Output0.output = Output1.output
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic as ToWatchidxLogic0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Lit_Impl1_ToWatchidx_Interface as ToWatchidx0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function ToWatchidxLogic0.to_watchidx_logic = ToWatchidxLogic0.to_watchidx_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Lit_Impl1_LitSat_Interface as LitSat0 with function Model0.model = Model10.model,
-  predicate Invariant0.invariant' = Invariant6.invariant', predicate Sat0.sat = Sat0.sat
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type i = usize, type a = Type.alloc_alloc_global, function Model0.model = Model1.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  clone CreuSat_UnitProp_PropagateLitWithRegardToClause_Interface as PropagateLitWithRegardToClause0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant2.invariant',
-  function ToWatchidxLogic0.to_watchidx_logic = ToWatchidxLogic0.to_watchidx_logic,
-  function Model0.model = Model1.model, function Model1.model = Model7.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, function Model2.model = Model0.model,
-  function Model3.model = Model6.model, function Model4.model = Model4.model, predicate Unsat0.unsat = Unsat0.unsat,
-  predicate Unsat1.unsat = Unsat1.unsat, predicate Equisat0.equisat = Equisat0.equisat,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg propagate_literal [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 241 0 241 110] (f : borrowed (Type.creusat_formula_formula)) (trail : borrowed (Type.creusat_trail_trail)) (watches : borrowed (Type.creusat_watches_watches)) (lit : Type.creusat_lit_lit) : Type.core_result_result () usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 230 0 230 33] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 231 0 231 42] Invariant1.invariant' ( * trail) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 232 0 232 44] Invariant2.invariant' ( * watches) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 233 0 233 40] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 234 0 234 44] IndexLogic0.index_logic lit < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 230 0 230 33] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 231 0 231 42] Invariant1.invariant' ( ^ trail) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 232 0 232 44] Invariant2.invariant' ( ^ watches) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 235 0 238 3] match (result) with
-      | Type.Core_Result_Result_Ok () -> true
-      | Type.Core_Result_Result_Err n -> UInt64.to_int n < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) && Unsat0.unsat ( ^ f) (Type.creusat_trail_trail_Trail_assignments ( ^ trail)) && Unsat1.unsat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int n)) (Type.creusat_trail_trail_Trail_assignments ( ^ trail))
-      end }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 239 0 239 41] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 240 0 240 25] Equisat0.equisat ( * f) ( ^ f) }
+  use mach.int.Int32
+  clone CreuSat_Logic_LogicLit_Impl1_UnsetInner_Interface as UnsetInner0
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
+  predicate no_unset_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 65 4 65 62] (self : Type.creusat_clause_clause) (a : Seq.seq uint8)
     
    =
-  var _0 : Type.core_result_result () usize;
-  var f_1 : borrowed (Type.creusat_formula_formula);
-  var trail_2 : borrowed (Type.creusat_trail_trail);
-  var watches_3 : borrowed (Type.creusat_watches_watches);
-  var lit_4 : Type.creusat_lit_lit;
-  var j_5 : usize;
-  var watchidx_6 : usize;
-  var _7 : Type.creusat_lit_lit;
-  var _8 : ();
-  var _9 : ();
-  ghost var old_trail_10 : borrowed (Type.creusat_trail_trail);
-  var _11 : ();
-  ghost var old_f_12 : borrowed (Type.creusat_formula_formula);
-  var _13 : ();
-  ghost var old_w_14 : borrowed (Type.creusat_watches_watches);
-  var _15 : ();
-  var _16 : ();
-  var _17 : ();
-  var _18 : bool;
-  var _19 : usize;
-  var _20 : usize;
-  var _21 : Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global);
-  var _22 : Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global);
-  var _23 : Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global);
-  var _24 : usize;
-  var curr_watch_25 : Type.creusat_watches_watcher;
-  var _26 : Type.creusat_watches_watcher;
-  var _27 : Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global);
-  var _28 : Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global);
-  var _29 : Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global);
-  var _30 : usize;
-  var _31 : usize;
-  var _32 : bool;
-  var _33 : Type.creusat_lit_lit;
-  var _34 : Type.creusat_assignments_assignments;
-  var _35 : Type.creusat_assignments_assignments;
-  var cref_36 : usize;
-  var _37 : Type.core_result_result bool usize;
-  var _38 : borrowed (Type.creusat_formula_formula);
-  var _39 : borrowed (Type.creusat_trail_trail);
-  var _40 : borrowed (Type.creusat_watches_watches);
-  var _41 : usize;
-  var _42 : Type.creusat_lit_lit;
-  var _43 : usize;
-  var _44 : isize;
-  var cref_45 : usize;
-  var _46 : ();
-  var _47 : usize;
-  var _48 : ();
-  var _49 : ();
-  var _50 : ();
-  var _51 : ();
-  {
-    f_1 <- f;
-    trail_2 <- trail;
-    watches_3 <- watches;
-    lit_4 <- lit;
-    goto BB0
-  }
-  BB0 {
-    j_5 <- (0 : usize);
-    _7 <- lit_4;
-    watchidx_6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 243 19 243 36] ToWatchidx0.to_watchidx _7);
-    goto BB1
-  }
-  BB1 {
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 244 4 244 62] Seq.length (Model1.model (Type.creusat_watches_watches_Watches_watches ( * watches_3))) = 2 * UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f_1)) };
-    _8 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 245 4 245 55] Seq.length (Model1.model (Type.creusat_watches_watches_Watches_watches ( * watches_3))) > UInt64.to_int watchidx_6 };
-    _9 <- ();
-    _11 <- ();
-    old_trail_10 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 246 20 246 36] trail_2);
-    goto BB2
-  }
-  BB2 {
-    _13 <- ();
-    old_f_12 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 247 16 247 28] f_1);
-    goto BB3
-  }
-  BB3 {
-    _15 <- ();
-    old_w_14 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 248 16 248 34] watches_3);
-    goto BB4
-  }
-  BB4 {
-    goto BB5
-  }
-  BB5 {
-    invariant trail_inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 249 4 249 48] Invariant1.invariant' ( * trail_2) ( * f_1) };
-    invariant watch_len { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 250 4 250 79] Seq.length (Model1.model (Type.creusat_watches_watches_Watches_watches ( * watches_3))) = Seq.length (Model1.model (Type.creusat_watches_watches_Watches_watches ( * old_w_14))) };
-    invariant watch_inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 251 4 251 50] Invariant2.invariant' ( * watches_3) ( * f_1) };
-    invariant f_equi { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 252 4 252 43] Equisat0.equisat ( * old_f_12) ( * f_1) };
-    invariant f_inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 253 4 253 38] Invariant0.invariant' ( * f_1) };
-    invariant dec_unch { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 254 4 254 72] Model2.model (Type.creusat_trail_trail_Trail_decisions ( * trail_2)) = Model2.model (Type.creusat_trail_trail_Trail_decisions ( * old_trail_10)) };
-    invariant nvars_unch { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 255 4 255 60] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f_1)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * old_f_12)) };
-    invariant proph_t { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 256 4 256 55]  ^ trail_2 =  ^ old_trail_10 };
-    invariant proph_f { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 257 4 257 47]  ^ f_1 =  ^ old_f_12 };
-    invariant proph_w { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 258 4 258 53]  ^ watches_3 =  ^ old_w_14 };
-    _19 <- j_5;
-    _23 <- Type.creusat_watches_watches_Watches_watches ( * watches_3);
-    _24 <- watchidx_6;
-    _22 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 259 14 259 39] Index0.index _23 _24);
-    goto BB6
-  }
-  BB6 {
-    _21 <- _22;
-    _20 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 259 14 259 45] Len0.len _21);
-    goto BB7
-  }
-  BB7 {
-    _18 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 259 10 259 45] _19 < _20);
-    switch (_18)
-      | False -> goto BB22
-      | _ -> goto BB8
-      end
-  }
-  BB8 {
-    _29 <- Type.creusat_watches_watches_Watches_watches ( * watches_3);
-    _30 <- watchidx_6;
-    _28 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 260 26 260 51] Index0.index _29 _30);
-    goto BB9
-  }
-  BB9 {
-    _27 <- _28;
-    _31 <- j_5;
-    _26 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 260 26 260 54] Index1.index _27 _31);
-    goto BB10
-  }
-  BB10 {
-    curr_watch_25 <- _26;
-    _33 <- Type.creusat_watches_watcher_Watcher_blocker curr_watch_25;
-    _35 <- Type.creusat_trail_trail_Trail_assignments ( * trail_2);
-    _34 <- _35;
-    _32 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 261 11 261 57] LitSat0.lit_sat _33 _34);
-    goto BB11
-  }
-  BB11 {
-    switch (_32)
-      | False -> goto BB13
-      | _ -> goto BB12
-      end
-  }
-  BB12 {
-    j_5 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 262 12 262 18] j_5 + (1 : usize));
-    _17 <- ();
-    goto BB21
-  }
-  BB13 {
-    cref_36 <- Type.creusat_watches_watcher_Watcher_cref curr_watch_25;
-    _38 <- borrow_mut ( * f_1);
-    f_1 <- { f_1 with current = ( ^ _38) };
-    _39 <- borrow_mut ( * trail_2);
-    trail_2 <- { trail_2 with current = ( ^ _39) };
-    _40 <- borrow_mut ( * watches_3);
-    watches_3 <- { watches_3 with current = ( ^ _40) };
-    _41 <- cref_36;
-    _42 <- lit_4;
-    _43 <- j_5;
-    _37 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 265 18 265 86] PropagateLitWithRegardToClause0.propagate_lit_with_regard_to_clause _38 _39 _40 _41 _42 _43);
-    goto BB14
-  }
-  BB14 {
-    switch (_37)
-      | Type.Core_Result_Result_Ok _ -> goto BB15
-      | Type.Core_Result_Result_Err _ -> goto BB16
-      end
-  }
-  BB15 {
-    switch (Type.core_result_result_Ok_0 _37)
-      | False -> goto BB19
-      | _ -> goto BB18
-      end
-  }
-  BB16 {
-    assume { Resolve0.resolve f_1 };
-    assume { Resolve1.resolve trail_2 };
-    assume { Resolve2.resolve watches_3 };
-    cref_45 <- Type.core_result_result_Err_0 _37;
-    _47 <- cref_45;
-    _0 <- Type.Core_Result_Result_Err _47;
-    goto BB23
-  }
-  BB17 {
-    assume { Resolve0.resolve f_1 };
-    assume { Resolve1.resolve trail_2 };
-    assume { Resolve2.resolve watches_3 };
-    absurd
-  }
-  BB18 {
-    j_5 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 267 20 267 26] j_5 + (1 : usize));
-    _17 <- ();
-    goto BB20
-  }
-  BB19 {
-    _17 <- ();
-    goto BB20
-  }
-  BB20 {
-    goto BB21
-  }
-  BB21 {
-    goto BB5
-  }
-  BB22 {
-    assume { Resolve0.resolve f_1 };
-    assume { Resolve1.resolve trail_2 };
-    assume { Resolve2.resolve watches_3 };
-    _16 <- ();
-    _51 <- ();
-    _0 <- Type.Core_Result_Result_Ok _51;
-    goto BB23
-  }
-  BB23 {
-    return _0
-  }
-  
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 66 8 68 9] forall j : (int) . 0 <= j /\ j < Seq.length (Model0.model self) -> not UnsetInner0.unset_inner (Seq.get (Model0.model self) j) a
+end
+module CreuSat_Logic_LogicClause_Impl1_PostUnit_Interface
+  use Type
+  predicate post_unit (self : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments)
+end
+module CreuSat_Logic_LogicClause_Impl1_PostUnit
+  use Type
+  clone CreuSat_Logic_LogicClause_Impl1_PostUnitInner_Interface as PostUnitInner0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
+  predicate post_unit [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 72 4 72 50] (self : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments)
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 73 8 73 46] PostUnitInner0.post_unit_inner self (Model0.model a)
+end
+module CreuSat_Logic_LogicClause_Impl1_EqAssnInner_Interface
+  use Type
+  use seq.Seq
+  use mach.int.Int
+  use prelude.Prelude
+  use prelude.UInt8
+  predicate eq_assn_inner (self : Type.creusat_clause_clause) (a : Seq.seq uint8) (a2 : Seq.seq uint8)
+end
+module CreuSat_Logic_LogicClause_Impl1_EqAssnInner
+  use Type
+  use seq.Seq
+  use mach.int.Int
+  use prelude.Prelude
+  use prelude.UInt8
+  use mach.int.Int32
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
+  predicate eq_assn_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 77 4 77 85] (self : Type.creusat_clause_clause) (a : Seq.seq uint8) (a2 : Seq.seq uint8)
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 78 8 81 9] forall i : (int) . 0 <= i /\ i < Seq.length (Model0.model self) -> Seq.get a (IndexLogic0.index_logic (Seq.get (Model0.model self) i)) = Seq.get a2 (IndexLogic0.index_logic (Seq.get (Model0.model self) i))
 end
-module CreuSat_UnitProp_UnitPropagate_Interface
-  use mach.int.UInt64
+module CreuSat_Logic_LogicClause_Impl2_Unknown_Interface
+  use Type
+  predicate unknown (self : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments)
+end
+module CreuSat_Logic_LogicClause_Impl2_Unknown
+  use Type
+  clone CreuSat_Logic_LogicClause_Impl2_Unsat_Interface as Unsat0
+  clone CreuSat_Logic_LogicClause_Impl2_Sat_Interface as Sat0
+  predicate unknown [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 173 4 173 48] (self : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments)
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 172 4 172 16] not Sat0.sat self a /\ not Unsat0.unsat self a
+end
+module CreuSat_Logic_LogicClause_Impl2_SearchIdxInRange_Interface
+  use Type
+  predicate search_idx_in_range (self : Type.creusat_clause_clause)
+end
+module CreuSat_Logic_LogicClause_Impl2_SearchIdxInRange
+  use Type
   use mach.int.Int
-  use prelude.Prelude
   use mach.int.Int32
+  use mach.int.UInt64
+  use seq.Seq
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model0
+  predicate search_idx_in_range [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 188 4 188 44] (self : Type.creusat_clause_clause)
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 189 8 191 9] 2 <= UInt64.to_int (Type.creusat_clause_clause_Clause_search self) /\ UInt64.to_int (Type.creusat_clause_clause_Clause_search self) <= Seq.length (Model0.model self)
+end
+module CreuSat_Logic_LogicClause_Impl2_InvariantUnaryOk_Interface
+  use Type
+  use mach.int.Int
+  predicate invariant_unary_ok (self : Type.creusat_clause_clause) (n : int)
+end
+module CreuSat_Logic_LogicClause_Impl2_InvariantUnaryOk
+  use Type
+  use mach.int.Int
+  clone CreuSat_Logic_LogicClause_Impl2_SearchIdxInRange_Interface as SearchIdxInRange0
+  clone CreuSat_Logic_LogicClause_Impl2_NoDuplicateIndexes_Interface as NoDuplicateIndexes0
+  clone CreuSat_Logic_LogicClause_Impl2_VarsInRange_Interface as VarsInRange0
+  predicate invariant_unary_ok [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 203 4 203 51] (self : Type.creusat_clause_clause) (n : int)
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_clause.rs" 205 8 205 104] VarsInRange0.vars_in_range self n /\ NoDuplicateIndexes0.no_duplicate_indexes self /\ SearchIdxInRange0.search_idx_in_range self
+end
+module CreuSat_Logic_LogicFormula_Impl2_Compatible_Interface
   use Type
+  predicate compatible (self : Type.creusat_formula_formula) (o : Type.creusat_formula_formula)
+end
+module CreuSat_Logic_LogicFormula_Impl2_Compatible
+  use Type
+  use mach.int.UInt64
   use seq.Seq
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
-  clone CreuSat_Logic_LogicClause_Impl2_Unsat_Interface as Unsat1
-  clone CreuSat_Logic_LogicFormula_Impl1_Unsat_Interface as Unsat0
+  use mach.int.Int
+  use mach.int.Int32
+  clone CreuSat_Logic_LogicClause_Impl2_Equals_Interface as Equals0
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val unit_propagate [@cfg:stackify] (f : borrowed (Type.creusat_formula_formula)) (trail : borrowed (Type.creusat_trail_trail)) (watches : borrowed (Type.creusat_watches_watches)) : Type.core_result_result () usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 280 0 280 33] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 281 0 281 42] Invariant1.invariant' ( * trail) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 282 0 282 44] Invariant2.invariant' ( * watches) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 283 0 283 40] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 280 0 280 33] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 281 0 281 42] Invariant1.invariant' ( ^ trail) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 282 0 282 44] Invariant2.invariant' ( ^ watches) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 284 0 287 3] match (result) with
-      | Type.Core_Result_Result_Ok () -> true
-      | Type.Core_Result_Result_Err n -> UInt64.to_int n < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) && Unsat0.unsat ( ^ f) (Type.creusat_trail_trail_Trail_assignments ( ^ trail)) && Unsat1.unsat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int n)) (Type.creusat_trail_trail_Trail_assignments ( ^ trail))
-      end }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 288 0 288 41] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 289 0 289 25] Equisat0.equisat ( * f) ( ^ f) }
+  predicate compatible [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 91 4 91 47] (self : Type.creusat_formula_formula) (o : Type.creusat_formula_formula)
     
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 92 8 97 9] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars self) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars o) /\ Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses o)) >= Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) /\ (forall i : (int) . 0 <= i /\ i < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) -> Equals0.equals (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) i) (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses o)) i))
+end
+module CreuSat_Logic_LogicFormula_Impl2_EventuallySatInner_Interface
+  use Type
+  use seq.Seq
+  use mach.int.Int
+  use prelude.Prelude
+  use prelude.UInt8
+  predicate eventually_sat_inner (self : Type.creusat_formula_formula) (a : Seq.seq uint8)
 end
-module CreuSat_UnitProp_UnitPropagate
+module CreuSat_Logic_LogicFormula_Impl2_EventuallySatInner
+  use Type
+  use seq.Seq
+  use mach.int.Int
+  use prelude.Prelude
+  use prelude.UInt8
   use mach.int.UInt64
+  clone CreuSat_Logic_LogicFormula_Impl2_SatInner_Interface as SatInner0
+  clone CreuSat_Logic_LogicAssignments_CompatibleInner_Interface as CompatibleInner0
+  predicate eventually_sat_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 125 4 125 64] (self : Type.creusat_formula_formula) (a : Seq.seq uint8)
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 126 8 128 9] exists a2 : (Seq.seq uint8) . Seq.length a2 = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars self) /\ CompatibleInner0.compatible_inner a a2 /\ SatInner0.sat_inner self a2
+end
+module CreuSat_Logic_LogicFormula_Impl2_EventuallySatCompleteInner_Interface
+  use Type
+  use seq.Seq
   use mach.int.Int
   use prelude.Prelude
-  use mach.int.Int32
+  use prelude.UInt8
+  predicate eventually_sat_complete_inner (self : Type.creusat_formula_formula) (a : Seq.seq uint8)
+end
+module CreuSat_Logic_LogicFormula_Impl2_EventuallySatCompleteInner
   use Type
   use seq.Seq
+  use mach.int.Int
+  use prelude.Prelude
   use prelude.UInt8
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model6 with function Model0.model = Model9.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model5 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant4 with function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model6.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model5.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant6 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant3 with function Model0.model = Model6.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant3.invariant',
-  function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner2 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner1.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner2.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_UnsatInner as UnsatInner1 with function Model0.model = Model6.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner2.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Unsat as Unsat1 with function Model0.model = Model5.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant7 with function Model0.model = Model0.model,
-  function Model1.model = Model6.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant5 with predicate Invariant0.invariant' = Invariant6.invariant',
-  predicate Invariant1.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner0 with function Model0.model = Model0.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model0.model,
-  function Model1.model = Model6.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model0.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_UnsatInner as UnsatInner0 with function Model0.model = Model0.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Unsat as Unsat0 with function Model0.model = Model5.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model7.model,
-  function Model1.model = Model0.model, function Model2.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model2 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model0.model,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model1.model = Model6.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model2.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant2 with function Model0.model = Model1.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model4.model,
-  function Model1.model = Model5.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model4.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model4.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model3.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model5.model,
-  function Model1.model = Model4.model, predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model2.model = Model3.model, function Model3.model = Model0.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model0.model = Model4.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model3.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model5.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model3.model, function Model1.model = Model4.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  use mach.int.Int64
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_watches_watches
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_trail_trail
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_formula_formula
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = Type.creusat_trail_step
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.creusat_trail_step
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.creusat_trail_step
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.creusat_trail_step
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = Type.creusat_trail_step, type i = usize,
-  type a = Type.alloc_alloc_global, function Model0.model = Model4.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_trail_step, type a = Type.alloc_alloc_global,
-  function Model0.model = Model4.model
-  clone CreuSat_UnitProp_PropagateLiteral_Interface as PropagateLiteral0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant2.invariant',
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, function Model0.model = Model0.model,
-  predicate Unsat0.unsat = Unsat0.unsat, predicate Unsat1.unsat = Unsat1.unsat,
-  predicate Equisat0.equisat = Equisat0.equisat,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg unit_propagate [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 290 0 290 101] (f : borrowed (Type.creusat_formula_formula)) (trail : borrowed (Type.creusat_trail_trail)) (watches : borrowed (Type.creusat_watches_watches)) : Type.core_result_result () usize
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 280 0 280 33] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 281 0 281 42] Invariant1.invariant' ( * trail) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 282 0 282 44] Invariant2.invariant' ( * watches) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 283 0 283 40] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 280 0 280 33] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 281 0 281 42] Invariant1.invariant' ( ^ trail) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 282 0 282 44] Invariant2.invariant' ( ^ watches) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 284 0 287 3] match (result) with
-      | Type.Core_Result_Result_Ok () -> true
-      | Type.Core_Result_Result_Err n -> UInt64.to_int n < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) && Unsat0.unsat ( ^ f) (Type.creusat_trail_trail_Trail_assignments ( ^ trail)) && Unsat1.unsat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int n)) (Type.creusat_trail_trail_Trail_assignments ( ^ trail))
-      end }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 288 0 288 41] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 289 0 289 25] Equisat0.equisat ( * f) ( ^ f) }
+  use mach.int.UInt64
+  clone CreuSat_Logic_LogicFormula_Impl2_SatInner_Interface as SatInner0
+  clone CreuSat_Logic_LogicAssignments_CompatibleCompleteInner_Interface as CompatibleCompleteInner0
+  predicate eventually_sat_complete_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 132 4 132 73] (self : Type.creusat_formula_formula) (a : Seq.seq uint8)
     
    =
-  var _0 : Type.core_result_result () usize;
-  var f_1 : borrowed (Type.creusat_formula_formula);
-  var trail_2 : borrowed (Type.creusat_trail_trail);
-  var watches_3 : borrowed (Type.creusat_watches_watches);
-  var i_4 : usize;
-  ghost var old_trail_5 : borrowed (Type.creusat_trail_trail);
-  var _6 : ();
-  ghost var old_f_7 : borrowed (Type.creusat_formula_formula);
-  var _8 : ();
-  ghost var old_w_9 : borrowed (Type.creusat_watches_watches);
-  var _10 : ();
-  var _11 : ();
-  var _12 : ();
-  var _13 : bool;
-  var _14 : usize;
-  var _15 : usize;
-  var _16 : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global);
-  var lit_17 : Type.creusat_lit_lit;
-  var _18 : Type.creusat_trail_step;
-  var _19 : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global);
-  var _20 : usize;
-  var _21 : ();
-  var _22 : Type.core_result_result () usize;
-  var _23 : borrowed (Type.creusat_formula_formula);
-  var _24 : borrowed (Type.creusat_trail_trail);
-  var _25 : borrowed (Type.creusat_watches_watches);
-  var _26 : Type.creusat_lit_lit;
-  var _27 : isize;
-  var cref_28 : usize;
-  var _29 : ();
-  var _30 : usize;
-  var _31 : ();
-  var _32 : ();
-  var _33 : ();
-  var _34 : usize;
-  var _35 : ();
-  {
-    f_1 <- f;
-    trail_2 <- trail;
-    watches_3 <- watches;
-    goto BB0
-  }
-  BB0 {
-    i_4 <- Type.creusat_trail_trail_Trail_curr_i ( * trail_2);
-    _6 <- ();
-    old_trail_5 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 292 20 292 36] trail_2);
-    goto BB1
-  }
-  BB1 {
-    _8 <- ();
-    old_f_7 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 293 16 293 28] f_1);
-    goto BB2
-  }
-  BB2 {
-    _10 <- ();
-    old_w_9 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 294 16 294 34] watches_3);
-    goto BB3
-  }
-  BB3 {
-    goto BB4
-  }
-  BB4 {
-    invariant f_inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 295 4 295 38] Invariant0.invariant' ( * f_1) };
-    invariant trail_inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 296 4 296 48] Invariant1.invariant' ( * trail_2) ( * f_1) };
-    invariant watch_len { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 297 4 297 79] Seq.length (Model1.model (Type.creusat_watches_watches_Watches_watches ( * watches_3))) = Seq.length (Model1.model (Type.creusat_watches_watches_Watches_watches ( * old_w_9))) };
-    invariant watch_inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 298 4 298 50] Invariant2.invariant' ( * watches_3) ( * f_1) };
-    invariant f_equi { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 299 4 299 43] Equisat0.equisat ( * old_f_7) ( * f_1) };
-    invariant nvars_unch { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 300 4 300 60] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f_1)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * old_f_7)) };
-    invariant proph_t { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 301 4 301 55]  ^ trail_2 =  ^ old_trail_5 };
-    invariant proph_f { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 302 4 302 47]  ^ f_1 =  ^ old_f_7 };
-    invariant proph_w { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 303 4 303 53]  ^ watches_3 =  ^ old_w_9 };
-    _14 <- i_4;
-    _16 <- Type.creusat_trail_trail_Trail_trail ( * trail_2);
-    _15 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 304 14 304 31] Len0.len _16);
-    goto BB5
-  }
-  BB5 {
-    _13 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 304 10 304 31] _14 < _15);
-    switch (_13)
-      | False -> goto BB12
-      | _ -> goto BB6
-      end
-  }
-  BB6 {
-    _19 <- Type.creusat_trail_trail_Trail_trail ( * trail_2);
-    _20 <- i_4;
-    _18 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 305 18 305 32] Index0.index _19 _20);
-    goto BB7
-  }
-  BB7 {
-    lit_17 <- Type.creusat_trail_step_Step_lit _18;
-    _23 <- borrow_mut ( * f_1);
-    f_1 <- { f_1 with current = ( ^ _23) };
-    _24 <- borrow_mut ( * trail_2);
-    trail_2 <- { trail_2 with current = ( ^ _24) };
-    _25 <- borrow_mut ( * watches_3);
-    watches_3 <- { watches_3 with current = ( ^ _25) };
-    _26 <- lit_17;
-    _22 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 306 14 306 55] PropagateLiteral0.propagate_literal _23 _24 _25 _26);
-    goto BB8
-  }
-  BB8 {
-    switch (_22)
-      | Type.Core_Result_Result_Ok _ -> goto BB11
-      | Type.Core_Result_Result_Err _ -> goto BB9
-      end
-  }
-  BB9 {
-    assume { Resolve0.resolve f_1 };
-    assume { Resolve1.resolve trail_2 };
-    assume { Resolve2.resolve watches_3 };
-    cref_28 <- Type.core_result_result_Err_0 _22;
-    _30 <- cref_28;
-    _0 <- Type.Core_Result_Result_Err _30;
-    goto BB13
-  }
-  BB10 {
-    assume { Resolve0.resolve f_1 };
-    assume { Resolve1.resolve trail_2 };
-    assume { Resolve2.resolve watches_3 };
-    absurd
-  }
-  BB11 {
-    _21 <- ();
-    i_4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/unit_prop.rs" 312 8 312 14] i_4 + (1 : usize));
-    _12 <- ();
-    goto BB4
-  }
-  BB12 {
-    assume { Resolve0.resolve f_1 };
-    assume { Resolve2.resolve watches_3 };
-    _11 <- ();
-    _34 <- i_4;
-    trail_2 <- { trail_2 with current = (let Type.CreuSat_Trail_Trail a b c d e =  * trail_2 in Type.CreuSat_Trail_Trail a b c _34 e) };
-    assume { Resolve1.resolve trail_2 };
-    _35 <- ();
-    _0 <- Type.Core_Result_Result_Ok _35;
-    goto BB13
-  }
-  BB13 {
-    return _0
-  }
-  
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 133 8 135 9] exists a2 : (Seq.seq uint8) . Seq.length a2 = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars self) /\ CompatibleCompleteInner0.compatible_complete_inner a a2 /\ SatInner0.sat_inner self a2
+end
+module CreuSat_Logic_LogicFormula_Impl2_EventuallySatComplete_Interface
+  use Type
+  predicate eventually_sat_complete (self : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
+end
+module CreuSat_Logic_LogicFormula_Impl2_EventuallySatComplete
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_EventuallySatCompleteInner_Interface as EventuallySatCompleteInner0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
+  predicate eventually_sat_complete [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 139 4 139 60] (self : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 140 8 140 59] EventuallySatCompleteInner0.eventually_sat_complete_inner self (Model0.model a)
+end
+module CreuSat_Logic_LogicFormula_Impl2_EventuallySat_Interface
+  use Type
+  predicate eventually_sat (self : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
+end
+module CreuSat_Logic_LogicFormula_Impl2_EventuallySat
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_EventuallySatInner_Interface as EventuallySatInner0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
+  predicate eventually_sat [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 144 4 144 51] (self : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 145 8 145 50] EventuallySatInner0.eventually_sat_inner self (Model0.model a)
 end
-module CreuSat_Solver_Impl0_UnitPropStep_Interface
-  use mach.int.UInt64
+module CreuSat_Logic_LogicFormula_Impl2_UnsatInner_Interface
+  use Type
+  use seq.Seq
+  use mach.int.Int
+  use prelude.Prelude
+  use prelude.UInt8
+  predicate unsat_inner (self : Type.creusat_formula_formula) (a : Seq.seq uint8)
+end
+module CreuSat_Logic_LogicFormula_Impl2_UnsatInner
+  use Type
+  use seq.Seq
   use mach.int.Int
   use prelude.Prelude
+  use prelude.UInt8
   use mach.int.Int32
+  clone CreuSat_Logic_LogicClause_Impl2_UnsatInner_Interface as UnsatInner0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  predicate unsat_inner [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 162 4 162 55] (self : Type.creusat_formula_formula) (a : Seq.seq uint8)
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 163 8 166 9] exists i : (int) . 0 <= i /\ i < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) /\ UnsatInner0.unsat_inner (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses self)) i) a
+end
+module CreuSat_Logic_LogicFormula_Impl2_Unsat_Interface
   use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable_Interface as NotSatisfiable0
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant3
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  axiom .
-  val unit_prop_step [@cfg:stackify] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (d : borrowed (Type.creusat_decision_decisions)) (t : borrowed (Type.creusat_trail_trail)) (w : borrowed (Type.creusat_watches_watches)) : Type.creusat_solver_conflictresult
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 195 4 195 37] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 196 4 196 42] Invariant1.invariant' ( * w) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 197 4 197 42] Invariant2.invariant' ( * t) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 198 4 198 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 199 4 199 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 195 4 195 37] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 196 4 196 42] Invariant1.invariant' ( ^ w) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 197 4 197 42] Invariant2.invariant' ( ^ t) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 198 4 198 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 200 4 200 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 201 4 201 29] Equisat0.equisat ( * f) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 202 4 205 7] match (result) with
-      | Type.CreuSat_Solver_ConflictResult_Ground -> NotSatisfiable0.not_satisfiable ( ^ f)
-      | _ -> true
-      end }
+  predicate unsat (self : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
+end
+module CreuSat_Logic_LogicFormula_Impl2_Unsat
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_UnsatInner_Interface as UnsatInner0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
+  predicate unsat [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 170 4 170 46] (self : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
     
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_formula.rs" 171 8 171 42] UnsatInner0.unsat_inner self (Model0.model a)
 end
-module CreuSat_Solver_Impl0_UnitPropStep
-  use mach.int.UInt64
+module CreuSat_Logic_LogicLit_Impl1_LitInInternal_Interface
+  use Type
+  use seq.Seq
+  predicate lit_in_internal (self : Type.creusat_lit_lit) (c : Seq.seq (Type.creusat_lit_lit))
+end
+module CreuSat_Logic_LogicLit_Impl1_LitInInternal
+  use Type
+  use seq.Seq
   use mach.int.Int
-  use prelude.Prelude
   use mach.int.Int32
+  predicate lit_in_internal [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 54 4 54 53] (self : Type.creusat_lit_lit) (c : Seq.seq (Type.creusat_lit_lit))
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 55 8 57 9] exists i : (int) . 0 <= i /\ i < Seq.length c /\ Seq.get c i = self
+end
+module CreuSat_Logic_LogicLit_Impl1_IdxInTrail_Interface
   use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model10 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model8 with function Model0.model = Model10.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant5 with function Model0.model = Model8.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model5 with function Model0.model = Model9.model
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model5.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss1 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss1.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner1.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model8.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant7 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant4 with function Model0.model = Model5.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant4.invariant',
-  function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant8 with function Model0.model = Model6.model,
-  function Model1.model = Model5.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant6 with predicate Invariant0.invariant' = Invariant7.invariant',
-  predicate Invariant1.invariant' = Invariant8.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model6.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner0 with function Model0.model = Model6.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model6.model,
-  function Model1.model = Model5.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model7.model,
-  function Model1.model = Model6.model, function Model2.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model0 with function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicClause_Impl2_EquisatExtension as EquisatExtension0 with function Model0.model = Model0.model,
-  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable as NotSatisfiable0 with function Model0.model = Model5.model,
-  predicate EquisatExtension0.equisat_extension = EquisatExtension0.equisat_extension
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model6.model,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model1.model = Model5.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model0.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_decision_node,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant3 with function Model0.model = Model4.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_trail_step,
+  predicate idx_in_trail (self : Type.creusat_lit_lit) (t : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global))
+    
+end
+module CreuSat_Logic_LogicLit_Impl1_IdxInTrail
+  use Type
+  use mach.int.Int
+  use mach.int.Int32
+  use seq.Seq
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_trail_step,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model3.model,
-  function Model1.model = Model8.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model3.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model3.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model2.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model8.model,
-  function Model1.model = Model3.model, predicate Invariant0.invariant' = Invariant6.invariant',
-  function Model2.model = Model2.model, function Model3.model = Model6.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant5.invariant', function Model0.model = Model3.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model2.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model8.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant2 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model2.model, function Model1.model = Model3.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
+  predicate idx_in_trail [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 121 4 121 51] (self : Type.creusat_lit_lit) (t : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global))
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_lit.rs" 122 8 125 9] exists i : (int) . 0 <= i /\ i < Seq.length (Model0.model t) /\ IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit (Seq.get (Model0.model t) i)) = IndexLogic0.index_logic self
+end
+module CreuSat_Logic_LogicTrail_Impl0_InvariantReasonNew_Interface
+  use Type
+  predicate invariant_reason_new (self : Type.creusat_trail_reason) (f : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
+    
+end
+module CreuSat_Logic_LogicTrail_Impl0_InvariantReasonNew
+  use Type
+  use mach.int.Int
+  use mach.int.Int32
+  use mach.int.UInt64
+  use seq.Seq
+  clone CreuSat_Logic_LogicLit_Impl1_SatInner_Interface as SatInner0
+  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner_Interface as UnsatInner0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model2
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant1 with function Model0.model = Model1.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  use mach.int.Int64
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve4 with type t = Type.creusat_watches_watches
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve3 with type t = Type.creusat_trail_trail
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_decision_decisions
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_formula_formula
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_solver_solver
-  clone CreuSat_Logic_LogicClause_Impl2_UnsatInner as UnsatInner2 with function Model0.model = Model5.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Unsat as Unsat1 with function Model0.model = Model8.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner2.unsat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_UnsatInner as UnsatInner1 with function Model0.model = Model6.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner2.unsat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Unsat as Unsat0 with function Model0.model = Model8.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
-  clone CreuSat_Solver_Impl0_HandleConflict_Interface as HandleConflict0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant2.invariant', predicate Invariant2.invariant' = Invariant1.invariant',
-  predicate Invariant3.invariant' = Invariant3.invariant', function Model0.model = Model6.model,
-  predicate Unsat0.unsat = Unsat1.unsat, predicate Equisat0.equisat = Equisat0.equisat,
-  predicate NotSatisfiable0.not_satisfiable = NotSatisfiable0.not_satisfiable,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_UnitProp_UnitPropagate_Interface as UnitPropagate0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant2.invariant', predicate Invariant2.invariant' = Invariant1.invariant',
-  function Model0.model = Model6.model, predicate Unsat0.unsat = Unsat0.unsat, predicate Unsat1.unsat = Unsat1.unsat,
-  predicate Equisat0.equisat = Equisat0.equisat,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg unit_prop_step [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 206 4 206 118] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (d : borrowed (Type.creusat_decision_decisions)) (t : borrowed (Type.creusat_trail_trail)) (w : borrowed (Type.creusat_watches_watches)) : Type.creusat_solver_conflictresult
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 195 4 195 37] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 196 4 196 42] Invariant1.invariant' ( * w) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 197 4 197 42] Invariant2.invariant' ( * t) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 198 4 198 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 199 4 199 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 195 4 195 37] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 196 4 196 42] Invariant1.invariant' ( ^ w) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 197 4 197 42] Invariant2.invariant' ( ^ t) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 198 4 198 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 200 4 200 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 201 4 201 29] Equisat0.equisat ( * f) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 202 4 205 7] match (result) with
-      | Type.CreuSat_Solver_ConflictResult_Ground -> NotSatisfiable0.not_satisfiable ( ^ f)
+  predicate invariant_reason_new [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 27 4 27 73] (self : Type.creusat_trail_reason) (f : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments)
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 28 8 42 9] match (self) with
+      | Type.CreuSat_Trail_Reason_Long cref -> 0 <= UInt64.to_int cref /\ UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) /\ Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) > 1 /\ (forall i : (int) . 1 <= i /\ i < Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) -> UnsatInner0.unsat_inner (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) i) (Model2.model a)) /\ SatInner0.sat_inner (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) 0) (Model2.model a)
+      | Type.CreuSat_Trail_Reason_Unit cref -> 0 <= UInt64.to_int cref /\ UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) /\ Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) = 1 /\ SatInner0.sat_inner (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) 0) (Model2.model a)
       | _ -> true
-      end }
+      end
+end
+module CreuSat_Logic_LogicTrail_Impl2_NewPostUnit_Interface
+  use Type
+  predicate new_post_unit (self : Type.creusat_trail_trail) (f : Type.creusat_formula_formula)
+end
+module CreuSat_Logic_LogicTrail_Impl2_NewPostUnit
+  use Type
+  use mach.int.Int
+  use mach.int.Int32
+  use seq.Seq
+  clone CreuSat_Logic_LogicTrail_Impl0_InvariantReasonNew_Interface as InvariantReasonNew0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_trail_step,
+  type a = Type.alloc_alloc_global, axiom .
+  predicate new_post_unit [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 105 4 105 50] (self : Type.creusat_trail_trail) (f : Type.creusat_formula_formula)
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 106 8 109 9] forall j : (int) . 0 <= j /\ j < Seq.length (Model0.model (Type.creusat_trail_trail_Trail_trail self)) -> InvariantReasonNew0.invariant_reason_new (Type.creusat_trail_step_Step_reason (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_trail self)) j)) f (Type.creusat_trail_trail_Trail_assignments self)
+end
+module CreuSat_Logic_LogicTrail_ClausePostWithRegardsTo_Interface
+  use Type
+  use mach.int.Int
+  predicate clause_post_with_regards_to (c : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments) (j : int)
+    
+end
+module CreuSat_Logic_LogicTrail_ClausePostWithRegardsTo
+  use Type
+  use mach.int.Int
+  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner_Interface as ClausePostWithRegardsToInner0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
+  predicate clause_post_with_regards_to [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 187 0 187 77] (c : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments) (j : int)
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 188 4 190 5] ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner c (Model0.model a) j
+end
+module CreuSat_Logic_LogicTrail_ClausePostWithRegardsToLit_Interface
+  use Type
+  predicate clause_post_with_regards_to_lit (c : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments) (lit : Type.creusat_lit_lit)
+    
+end
+module CreuSat_Logic_LogicTrail_ClausePostWithRegardsToLit
+  use Type
+  use mach.int.UInt64
+  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner_Interface as ClausePostWithRegardsToInner0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
+  predicate clause_post_with_regards_to_lit [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 203 0 203 83] (c : Type.creusat_clause_clause) (a : Type.creusat_assignments_assignments) (lit : Type.creusat_lit_lit)
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 204 4 206 5] ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner c (Model0.model a) (UInt64.to_int (Type.creusat_lit_lit_Lit_idx lit))
+end
+module CreuSat_Logic_LogicTrail_LongArePostUnit_Interface
+  use Type
+  predicate long_are_post_unit (trail : Type.creusat_trail_trail) (f : Type.creusat_formula_formula)
+end
+module CreuSat_Logic_LogicTrail_LongArePostUnit
+  use Type
+  use mach.int.Int
+  use mach.int.Int32
+  use seq.Seq
+  use mach.int.UInt64
+  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsTo_Interface as ClausePostWithRegardsTo0
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_trail_step,
+  type a = Type.alloc_alloc_global, axiom .
+  predicate long_are_post_unit [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 219 0 219 59] (trail : Type.creusat_trail_trail) (f : Type.creusat_formula_formula)
     
    =
-  var _0 : Type.creusat_solver_conflictresult;
-  var self_1 : borrowed (Type.creusat_solver_solver);
-  var f_2 : borrowed (Type.creusat_formula_formula);
-  var d_3 : borrowed (Type.creusat_decision_decisions);
-  var t_4 : borrowed (Type.creusat_trail_trail);
-  var w_5 : borrowed (Type.creusat_watches_watches);
-  var _6 : Type.core_result_result () usize;
-  var _7 : borrowed (Type.creusat_formula_formula);
-  var _8 : borrowed (Type.creusat_trail_trail);
-  var _9 : borrowed (Type.creusat_watches_watches);
-  var _10 : isize;
-  var cref_11 : usize;
-  var _12 : Type.core_option_option bool;
-  var _13 : borrowed (Type.creusat_solver_solver);
-  var _14 : borrowed (Type.creusat_formula_formula);
-  var _15 : borrowed (Type.creusat_trail_trail);
-  var _16 : usize;
-  var _17 : borrowed (Type.creusat_watches_watches);
-  var _18 : borrowed (Type.creusat_decision_decisions);
-  var _19 : isize;
-  {
-    self_1 <- self;
-    f_2 <- f;
-    d_3 <- d;
-    t_4 <- t;
-    w_5 <- w;
-    goto BB0
-  }
-  BB0 {
-    _7 <- borrow_mut ( * f_2);
-    f_2 <- { f_2 with current = ( ^ _7) };
-    _8 <- borrow_mut ( * t_4);
-    t_4 <- { t_4 with current = ( ^ _8) };
-    _9 <- borrow_mut ( * w_5);
-    w_5 <- { w_5 with current = ( ^ _9) };
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 207 14 207 37] UnitPropagate0.unit_propagate _7 _8 _9);
-    goto BB1
-  }
-  BB1 {
-    switch (_6)
-      | Type.Core_Result_Result_Ok _ -> goto BB4
-      | Type.Core_Result_Result_Err _ -> goto BB2
-      end
-  }
-  BB2 {
-    cref_11 <- Type.core_result_result_Err_0 _6;
-    _13 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _13) };
-    _14 <- borrow_mut ( * f_2);
-    f_2 <- { f_2 with current = ( ^ _14) };
-    _15 <- borrow_mut ( * t_4);
-    t_4 <- { t_4 with current = ( ^ _15) };
-    _16 <- cref_11;
-    _17 <- borrow_mut ( * w_5);
-    w_5 <- { w_5 with current = ( ^ _17) };
-    _18 <- borrow_mut ( * d_3);
-    d_3 <- { d_3 with current = ( ^ _18) };
-    _12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 209 31 209 69] HandleConflict0.handle_conflict _13 _14 _15 _16 _17 _18);
-    goto BB5
-  }
-  BB3 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve f_2 };
-    assume { Resolve2.resolve d_3 };
-    assume { Resolve3.resolve t_4 };
-    assume { Resolve4.resolve w_5 };
-    absurd
-  }
-  BB4 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve f_2 };
-    assume { Resolve2.resolve d_3 };
-    assume { Resolve3.resolve t_4 };
-    assume { Resolve4.resolve w_5 };
-    _0 <- Type.CreuSat_Solver_ConflictResult_Ok;
-    goto BB12
-  }
-  BB5 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve f_2 };
-    assume { Resolve2.resolve d_3 };
-    assume { Resolve3.resolve t_4 };
-    assume { Resolve4.resolve w_5 };
-    switch (_12)
-      | Type.Core_Option_Option_None -> goto BB6
-      | Type.Core_Option_Option_Some _ -> goto BB7
-      end
-  }
-  BB6 {
-    _0 <- Type.CreuSat_Solver_ConflictResult_Continue;
-    goto BB11
-  }
-  BB7 {
-    switch (Type.core_option_option_Some_0 _12)
-      | False -> goto BB9
-      | _ -> goto BB10
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 220 4 226 5] forall j : (int) . 0 <= j /\ j < Seq.length (Model0.model (Type.creusat_trail_trail_Trail_trail trail)) -> match (Type.creusat_trail_step_Step_reason (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_trail trail)) j)) with
+      | Type.CreuSat_Trail_Reason_Long k -> ClausePostWithRegardsTo0.clause_post_with_regards_to (Seq.get (Model1.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int k)) (Type.creusat_trail_trail_Trail_assignments trail) (IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_trail trail)) j)))
+      | _ -> true
       end
-  }
-  BB8 {
-    absurd
-  }
-  BB9 {
-    _0 <- Type.CreuSat_Solver_ConflictResult_Ground;
-    goto BB11
-  }
-  BB10 {
-    _0 <- Type.CreuSat_Solver_ConflictResult_Err;
-    goto BB11
-  }
-  BB11 {
-    goto BB12
-  }
-  BB12 {
-    return _0
-  }
-  
 end
-module CreuSat_Solver_Impl0_UnitPropLoop_Interface
+module CreuSat_Logic_LogicTrail_LemmaAssignMaintainsLongArePostUnit_Interface
   use mach.int.UInt64
+  use seq.Seq
   use mach.int.Int
   use prelude.Prelude
-  use mach.int.Int32
+  use prelude.UInt8
   use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable_Interface as NotSatisfiable0
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant3
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner_Interface as LongArePostUnitInner0
+  clone CreuSat_Logic_Logic_Unset_Interface as Unset0
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
+  clone CreuSat_Logic_LogicLit_Impl1_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicTrail_CrefsInRange_Interface as CrefsInRange0
+  clone CreuSat_Logic_LogicTrail_TrailInvariant_Interface as TrailInvariant0
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant_Interface as Invariant0
+  function lemma_assign_maintains_long_are_post_unit (v : Seq.seq (Type.creusat_trail_step)) (f : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments) (lit : Type.creusat_lit_lit) : ()
+    
+end
+module CreuSat_Logic_LogicTrail_LemmaAssignMaintainsLongArePostUnit
+  use mach.int.UInt64
+  use seq.Seq
+  use mach.int.Int
+  use prelude.Prelude
+  use prelude.UInt8
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner_Interface as LongArePostUnitInner0
+  clone CreuSat_Logic_Logic_Unset_Interface as Unset0
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
+  clone CreuSat_Logic_LogicLit_Impl1_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicTrail_CrefsInRange_Interface as CrefsInRange0
+  clone CreuSat_Logic_LogicTrail_TrailInvariant_Interface as TrailInvariant0
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant_Interface as Invariant0
+  function lemma_assign_maintains_long_are_post_unit [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 264 0 264 100] (v : Seq.seq (Type.creusat_trail_step)) (f : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments) (lit : Type.creusat_lit_lit) : ()
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 254 0 254 8] ()
+  axiom lemma_assign_maintains_long_are_post_unit_spec : forall v : Seq.seq (Type.creusat_trail_step), f : Type.creusat_formula_formula, a : Type.creusat_assignments_assignments, lit : Type.creusat_lit_lit . ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 255 0 255 27] Invariant0.invariant' a f) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 256 0 256 26] Invariant1.invariant' f) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 257 0 257 34] TrailInvariant0.trail_invariant v f) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 258 0 258 33] CrefsInRange0.crefs_in_range v f) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 259 0 259 39] Invariant2.invariant' lit (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 260 0 260 43] Unset0.unset (Seq.get (Model0.model a) (IndexLogic0.index_logic lit))) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 261 0 261 47] LongArePostUnitInner0.long_are_post_unit_inner v f (Model0.model a)) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 263 0 263 76] LongArePostUnitInner0.long_are_post_unit_inner v f (Seq.set (Model0.model a) (IndexLogic0.index_logic lit) (0 : uint8))) && ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 262 0 262 76] LongArePostUnitInner0.long_are_post_unit_inner v f (Seq.set (Model0.model a) (IndexLogic0.index_logic lit) (1 : uint8)))
+end
+module CreuSat_Logic_LogicTrail_LemmaPushMaintainsLitNotInLess_Interface
+  use seq.Seq
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicTrail_LitNotInLessInner_Interface as LitNotInLessInner0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.creusat_trail_step,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl1_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_Logic_Unset_Interface as Unset0
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
   clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
   axiom .
-  val unit_prop_loop [@cfg:stackify] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (d : borrowed (Type.creusat_decision_decisions)) (t : borrowed (Type.creusat_trail_trail)) (w : borrowed (Type.creusat_watches_watches)) : Type.core_option_option bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 218 4 218 37] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 219 4 219 42] Invariant1.invariant' ( * t) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 220 4 220 42] Invariant2.invariant' ( * w) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 221 4 221 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 222 4 222 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 218 4 218 37] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 219 4 219 42] Invariant1.invariant' ( ^ t) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 220 4 220 42] Invariant2.invariant' ( ^ w) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 221 4 221 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 223 4 227 7] match (result) with
-      | Type.Core_Option_Option_Some (False) -> NotSatisfiable0.not_satisfiable ( ^ f)
-      | Type.Core_Option_Option_Some (True) -> true
-      | Type.Core_Option_Option_None -> true
-      end }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 228 4 228 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 229 4 229 29] Equisat0.equisat ( * f) ( ^ f) }
+  function lemma_push_maintains_lit_not_in_less (t : Type.creusat_trail_trail) (f : Type.creusat_formula_formula) (step : Type.creusat_trail_step) : ()
     
 end
-module CreuSat_Solver_Impl0_UnitPropLoop
+module CreuSat_Logic_LogicTrail_LemmaPushMaintainsLitNotInLess
+  use seq.Seq
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicTrail_LitNotInLessInner_Interface as LitNotInLessInner0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.creusat_trail_step,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl1_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_Logic_Unset_Interface as Unset0
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  function lemma_push_maintains_lit_not_in_less [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 274 0 274 77] (t : Type.creusat_trail_trail) (f : Type.creusat_formula_formula) (step : Type.creusat_trail_step) : ()
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 267 0 267 8] ()
+  axiom lemma_push_maintains_lit_not_in_less_spec : forall t : Type.creusat_trail_trail, f : Type.creusat_formula_formula, step : Type.creusat_trail_step . ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 268 0 268 26] Invariant0.invariant' f) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 269 0 269 27] Invariant1.invariant' t f) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 270 0 270 60] Unset0.unset (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments t)) (IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit step)))) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 271 0 271 30] Invariant2.invariant' step f) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 272 0 272 47] LitNotInLessInner0.lit_not_in_less_inner (Model1.model (Type.creusat_trail_trail_Trail_trail t)) f) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_trail.rs" 273 0 273 59] LitNotInLessInner0.lit_not_in_less_inner (Seq.snoc (Model1.model (Type.creusat_trail_trail_Trail_trail t)) step) f)
+end
+module CreuSat_Logic_LogicUtil_LastIdx_Interface
+  type t
+  use seq.Seq
+  use mach.int.Int
+  use mach.int.Int32
+  function last_idx (s : Seq.seq t) : int
+end
+module CreuSat_Logic_LogicUtil_LastIdx
+  type t
+  use seq.Seq
+  use mach.int.Int
+  use mach.int.Int32
+  function last_idx [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 77 0 77 36] (s : Seq.seq t) : int =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 78 4 78 27] Seq.length s - 1
+  axiom last_idx_spec : forall s : Seq.seq t . ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 76 0 76 24] Seq.length s > 0) -> true
+end
+module CreuSat_Logic_LogicUtil_LastElem_Interface
+  type t
+  use seq.Seq
+  use mach.int.Int
+  use mach.int.Int32
+  function last_elem (s : Seq.seq t) : t
+end
+module CreuSat_Logic_LogicUtil_LastElem
+  type t
+  use seq.Seq
+  use mach.int.Int
+  use mach.int.Int32
+  function last_elem [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 84 0 84 35] (s : Seq.seq t) : t =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 85 4 85 30] Seq.get s (Seq.length s - 1)
+  axiom last_elem_spec : forall s : Seq.seq t . ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 83 0 83 24] Seq.length s > 0) -> true
+end
+module CreuSat_Logic_LogicUtil_LemmaPopMaintainsSorted_Interface
+  use seq.Seq
+  use mach.int.Int
+  use mach.int.Int32
+  use prelude.Prelude
+  use mach.int.UInt64
+  clone CreuSat_Logic_LogicUtil_Pop_Interface as Pop0 with type t = usize, axiom .
+  clone CreuSat_Logic_LogicUtil_Sorted_Interface as Sorted0
+  function lemma_pop_maintains_sorted (s : Seq.seq usize) : ()
+end
+module CreuSat_Logic_LogicUtil_LemmaPopMaintainsSorted
+  use seq.Seq
+  use mach.int.Int
+  use mach.int.Int32
+  use prelude.Prelude
   use mach.int.UInt64
+  clone CreuSat_Logic_LogicUtil_Pop_Interface as Pop0 with type t = usize, axiom .
+  clone CreuSat_Logic_LogicUtil_Sorted_Interface as Sorted0
+  function lemma_pop_maintains_sorted [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 93 0 93 48] (s : Seq.seq usize) : ()
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 88 0 88 8] ()
+  axiom lemma_pop_maintains_sorted_spec : forall s : Seq.seq usize . ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 90 0 90 24] Seq.length s > 0) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 91 0 91 22] Sorted0.sorted s) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_util.rs" 92 0 92 26] Sorted0.sorted (Pop0.pop s))
+end
+module CreuSat_Logic_LogicWatches_WatchValid_Interface
+  use seq.Seq
+  use Type
+  predicate watch_valid (w : Seq.seq (Type.creusat_watches_watcher)) (f : Type.creusat_formula_formula)
+end
+module CreuSat_Logic_LogicWatches_WatchValid
+  use seq.Seq
+  use Type
   use mach.int.Int
-  use prelude.Prelude
   use mach.int.Int32
-  use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model10 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model7 with function Model0.model = Model10.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant5 with function Model0.model = Model7.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model5 with function Model0.model = Model9.model
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model5.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss1 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss1.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner1.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model7.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant7 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant4 with function Model0.model = Model5.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant4.invariant',
-  function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant8 with function Model0.model = Model6.model,
-  function Model1.model = Model5.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant6 with predicate Invariant0.invariant' = Invariant7.invariant',
-  predicate Invariant1.invariant' = Invariant8.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model6.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner0 with function Model0.model = Model6.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model6.model,
-  function Model1.model = Model5.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model8.model,
-  function Model1.model = Model6.model, function Model2.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model0 with function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicClause_Impl2_EquisatExtension as EquisatExtension0 with function Model0.model = Model0.model,
-  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable as NotSatisfiable0 with function Model0.model = Model5.model,
-  predicate EquisatExtension0.equisat_extension = EquisatExtension0.equisat_extension
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model6.model,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model1.model = Model5.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model0.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_decision_node,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant3 with function Model0.model = Model4.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant2 with function Model0.model = Model3.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_trail_step,
+  use mach.int.UInt64
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model2.model,
-  function Model1.model = Model7.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model2.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model2.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model1.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model7.model,
-  function Model1.model = Model2.model, predicate Invariant0.invariant' = Invariant6.invariant',
-  function Model2.model = Model1.model, function Model3.model = Model6.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant5.invariant', function Model0.model = Model2.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model1.model,
-  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
-  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model7.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
-  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
-  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model1.model, function Model1.model = Model2.model,
-  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  use mach.int.Int64
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve4 with type t = Type.creusat_watches_watches
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve3 with type t = Type.creusat_trail_trail
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_decision_decisions
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_formula_formula
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_solver_solver
-  clone CreuSat_Solver_Impl0_UnitPropStep_Interface as UnitPropStep0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant2.invariant', predicate Invariant2.invariant' = Invariant1.invariant',
-  predicate Invariant3.invariant' = Invariant3.invariant', predicate Equisat0.equisat = Equisat0.equisat,
-  predicate NotSatisfiable0.not_satisfiable = NotSatisfiable0.not_satisfiable,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg unit_prop_loop [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 230 4 230 116] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (d : borrowed (Type.creusat_decision_decisions)) (t : borrowed (Type.creusat_trail_trail)) (w : borrowed (Type.creusat_watches_watches)) : Type.core_option_option bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 218 4 218 37] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 219 4 219 42] Invariant1.invariant' ( * t) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 220 4 220 42] Invariant2.invariant' ( * w) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 221 4 221 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 222 4 222 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 218 4 218 37] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 219 4 219 42] Invariant1.invariant' ( ^ t) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 220 4 220 42] Invariant2.invariant' ( ^ w) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 221 4 221 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 223 4 227 7] match (result) with
-      | Type.Core_Option_Option_Some (False) -> NotSatisfiable0.not_satisfiable ( ^ f)
-      | Type.Core_Option_Option_Some (True) -> true
-      | Type.Core_Option_Option_None -> true
-      end }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 228 4 228 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 229 4 229 29] Equisat0.equisat ( * f) ( ^ f) }
+  predicate watch_valid [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 25 0 25 55] (w : Seq.seq (Type.creusat_watches_watcher)) (f : Type.creusat_formula_formula)
     
    =
-  var _0 : Type.core_option_option bool;
-  var self_1 : borrowed (Type.creusat_solver_solver);
-  var f_2 : borrowed (Type.creusat_formula_formula);
-  var d_3 : borrowed (Type.creusat_decision_decisions);
-  var t_4 : borrowed (Type.creusat_trail_trail);
-  var w_5 : borrowed (Type.creusat_watches_watches);
-  ghost var old_f_6 : borrowed (Type.creusat_formula_formula);
-  var _7 : ();
-  ghost var old_t_8 : borrowed (Type.creusat_trail_trail);
-  var _9 : ();
-  ghost var old_w_10 : borrowed (Type.creusat_watches_watches);
-  var _11 : ();
-  ghost var old_d_12 : borrowed (Type.creusat_decision_decisions);
-  var _13 : ();
-  var _14 : ();
-  var _15 : ();
-  var _16 : Type.creusat_solver_conflictresult;
-  var _17 : borrowed (Type.creusat_solver_solver);
-  var _18 : borrowed (Type.creusat_formula_formula);
-  var _19 : borrowed (Type.creusat_decision_decisions);
-  var _20 : borrowed (Type.creusat_trail_trail);
-  var _21 : borrowed (Type.creusat_watches_watches);
-  var _22 : isize;
-  var _23 : ();
-  var _24 : ();
-  var _25 : ();
-  {
-    self_1 <- self;
-    f_2 <- f;
-    d_3 <- d;
-    t_4 <- t;
-    w_5 <- w;
-    goto BB0
-  }
-  BB0 {
-    _7 <- ();
-    old_f_6 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 231 20 231 32] f_2);
-    goto BB1
-  }
-  BB1 {
-    _9 <- ();
-    old_t_8 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 232 20 232 32] t_4);
-    goto BB2
-  }
-  BB2 {
-    _11 <- ();
-    old_w_10 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 233 20 233 32] w_5);
-    goto BB3
-  }
-  BB3 {
-    _13 <- ();
-    old_d_12 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 234 20 234 32] d_3);
-    goto BB4
-  }
-  BB4 {
-    goto BB5
-  }
-  BB5 {
-    invariant maintains_f { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 235 8 235 48] Invariant0.invariant' ( * f_2) };
-    invariant maintains_t { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 236 8 236 50] Invariant1.invariant' ( * t_4) ( * f_2) };
-    invariant maintains_w { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 237 8 237 50] Invariant2.invariant' ( * w_5) ( * f_2) };
-    invariant maintains_d { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 238 8 238 59] Invariant3.invariant' ( * d_3) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f_2))) };
-    invariant equi { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 239 8 239 53] Equisat0.equisat ( * old_f_6) ( * f_2) };
-    invariant num_vars { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 240 8 240 62] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f_2)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * old_f_6)) };
-    invariant prophf { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 241 8 241 50]  ^ f_2 =  ^ old_f_6 };
-    invariant propht { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 242 8 242 50]  ^ t_4 =  ^ old_t_8 };
-    invariant prophw { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 243 8 243 50]  ^ w_5 =  ^ old_w_10 };
-    invariant prophd { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 244 8 244 50]  ^ d_3 =  ^ old_d_12 };
-    _17 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _17) };
-    _18 <- borrow_mut ( * f_2);
-    f_2 <- { f_2 with current = ( ^ _18) };
-    _19 <- borrow_mut ( * d_3);
-    d_3 <- { d_3 with current = ( ^ _19) };
-    _20 <- borrow_mut ( * t_4);
-    t_4 <- { t_4 with current = ( ^ _20) };
-    _21 <- borrow_mut ( * w_5);
-    w_5 <- { w_5 with current = ( ^ _21) };
-    _16 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 246 18 246 49] UnitPropStep0.unit_prop_step _17 _18 _19 _20 _21);
-    goto BB6
-  }
-  BB6 {
-    switch (_16)
-      | Type.CreuSat_Solver_ConflictResult_Ok -> goto BB9
-      | Type.CreuSat_Solver_ConflictResult_Err -> goto BB11
-      | Type.CreuSat_Solver_ConflictResult_Ground -> goto BB10
-      | Type.CreuSat_Solver_ConflictResult_Continue -> goto BB7
-      end
-  }
-  BB7 {
-    _15 <- ();
-    goto BB5
-  }
-  BB8 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve f_2 };
-    assume { Resolve2.resolve d_3 };
-    assume { Resolve3.resolve t_4 };
-    assume { Resolve4.resolve w_5 };
-    absurd
-  }
-  BB9 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve f_2 };
-    assume { Resolve2.resolve d_3 };
-    assume { Resolve3.resolve t_4 };
-    assume { Resolve4.resolve w_5 };
-    _0 <- Type.Core_Option_Option_Some true;
-    goto BB12
-  }
-  BB10 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve f_2 };
-    assume { Resolve2.resolve d_3 };
-    assume { Resolve3.resolve t_4 };
-    assume { Resolve4.resolve w_5 };
-    _0 <- Type.Core_Option_Option_Some false;
-    goto BB12
-  }
-  BB11 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve f_2 };
-    assume { Resolve2.resolve d_3 };
-    assume { Resolve3.resolve t_4 };
-    assume { Resolve4.resolve w_5 };
-    _0 <- Type.Core_Option_Option_None;
-    goto BB12
-  }
-  BB12 {
-    return _0
-  }
-  
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 26 4 31 5] forall j : (int) . 0 <= j /\ j < Seq.length w -> UInt64.to_int (Type.creusat_watches_watcher_Watcher_cref (Seq.get w j)) < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) /\ Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int (Type.creusat_watches_watcher_Watcher_cref (Seq.get w j))))) > 1 /\ IndexLogic0.index_logic (Type.creusat_watches_watcher_Watcher_blocker (Seq.get w j)) < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)
+end
+module CreuSat_Logic_LogicWatches_WatchesCrefsInRange_Interface
+  use seq.Seq
+  use Type
+  predicate watches_crefs_in_range (w : Seq.seq (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global))) (f : Type.creusat_formula_formula)
+    
+end
+module CreuSat_Logic_LogicWatches_WatchesCrefsInRange
+  use seq.Seq
+  use Type
+  use mach.int.Int
+  use mach.int.Int32
+  clone CreuSat_Logic_LogicWatches_WatcherCrefsInRange_Interface as WatcherCrefsInRange0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_watches_watcher,
+  type a = Type.alloc_alloc_global, axiom .
+  predicate watches_crefs_in_range [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 43 0 43 71] (w : Seq.seq (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global))) (f : Type.creusat_formula_formula)
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 44 4 47 5] forall i : (int) . 0 <= i /\ i < Seq.length w -> WatcherCrefsInRange0.watcher_crefs_in_range (Model0.model (Seq.get w i)) f
 end
-module CreuSat_Trail_Impl0_EnqDecision_Interface
+module CreuSat_Logic_LogicWatches_LemmaPushMaintainsWatcherInvariant_Interface
+  use mach.int.UInt64
+  use seq.Seq
+  use mach.int.Int
+  use Type
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicWatches_WatcherCrefsInRange_Interface as WatcherCrefsInRange0
+  function lemma_push_maintains_watcher_invariant (w : Seq.seq (Type.creusat_watches_watcher)) (f : Type.creusat_formula_formula) (o : Type.creusat_watches_watcher) : ()
+    
+end
+module CreuSat_Logic_LogicWatches_LemmaPushMaintainsWatcherInvariant
   use mach.int.UInt64
+  use seq.Seq
   use mach.int.Int
+  use Type
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicWatches_WatcherCrefsInRange_Interface as WatcherCrefsInRange0
+  function lemma_push_maintains_watcher_invariant [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 62 0 62 86] (w : Seq.seq (Type.creusat_watches_watcher)) (f : Type.creusat_formula_formula) (o : Type.creusat_watches_watcher) : ()
+    
+   =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 57 0 57 8] ()
+  axiom lemma_push_maintains_watcher_invariant_spec : forall w : Seq.seq (Type.creusat_watches_watcher), f : Type.creusat_formula_formula, o : Type.creusat_watches_watcher . ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 59 0 59 41] WatcherCrefsInRange0.watcher_crefs_in_range w f) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 60 0 60 41] UInt64.to_int (Type.creusat_watches_watcher_Watcher_cref o) < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))) -> ([#"/Users/xavier/Code/sat/CreuSAT/src/logic/logic_watches.rs" 61 0 61 48] WatcherCrefsInRange0.watcher_crefs_in_range (Seq.snoc w o) f)
+end
+module CreuSat_Solver_GetAssertingLevel_Interface
+  use mach.int.UInt64
   use seq.Seq
+  use mach.int.Int
   use mach.int.Int32
-  use prelude.UInt8
   use prelude.Prelude
   use Type
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner_Interface as LongArePostUnitInner0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_Logic_Unset_Interface as Unset0
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
+  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy1
+  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner_Interface as NoDuplicateIndexesInner0
+  clone CreuSat_Logic_LogicClause_VarsInRangeInner_Interface as VarsInRangeInner0
+  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model1 with type t = Type.creusat_clause_clause,
+  type ModelTy0.modelTy = ModelTy1.modelTy
+  clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicClause_EquisatExtensionInner_Interface as EquisatExtensionInner0
+  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = Type.creusat_formula_formula,
+  type ModelTy0.modelTy = ModelTy0.modelTy
   clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
   axiom .
-  val enq_decision [@cfg:stackify] (self : borrowed (Type.creusat_trail_trail)) (idx : usize) (_f : Type.creusat_formula_formula) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 268 4 268 31] Invariant0.invariant' _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 269 4 269 43] Invariant1.invariant' ( * self) _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 270 4 270 36] UInt64.to_int idx < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 271 4 271 49] Unset0.unset (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments ( * self))) (UInt64.to_int idx))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 275 4 275 78] LongArePostUnitInner0.long_are_post_unit_inner (Model1.model (Type.creusat_trail_trail_Trail_trail ( * self))) _f (Model0.model (Type.creusat_trail_trail_Trail_assignments ( * self)))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 269 4 269 43] Invariant1.invariant' ( ^ self) _f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 272 4 273 76] forall j : (int) . 0 <= j && j < Seq.length (Model0.model (Type.creusat_trail_trail_Trail_assignments ( * self))) && j <> UInt64.to_int idx -> Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments ( * self))) j = Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) j }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 274 4 274 88] UInt8.to_int (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) (UInt64.to_int idx)) = 1 || UInt8.to_int (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) (UInt64.to_int idx)) = 0 }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 276 4 276 87] LongArePostUnitInner0.long_are_post_unit_inner (Model1.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) _f (Model0.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 277 4 277 65] Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) = 1 + Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail ( * self))) }
-    
-end
-module CreuSat_Trail_Impl0_EnqDecision
+  val get_asserting_level [@cfg:stackify] (clause : Type.creusat_clause_clause) (trail : Type.creusat_trail_trail) (f : Type.creusat_formula_formula) : (usize, usize)
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 32 0 32 26] Invariant0.invariant' f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 33 0 33 32] Invariant1.invariant' trail f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 34 0 34 49] EquisatExtensionInner0.equisat_extension_inner clause (Model0.model f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 35 0 35 42] Invariant2.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 36 0 36 32] Seq.length (Model1.model clause) > 1}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 37 0 37 54] VarsInRangeInner0.vars_in_range_inner (Model1.model clause) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 38 0 38 48] NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model1.model clause)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 39 0 39 39] UInt64.to_int (let (a, _) = result in a) < Seq.length (Model1.model clause) }
+    
+end
+module CreuSat_Solver_GetAssertingLevel
   use mach.int.UInt64
-  use mach.int.Int
   use seq.Seq
+  use mach.int.Int
   use mach.int.Int32
-  use prelude.UInt8
   use prelude.Prelude
   use Type
+  use prelude.UInt8
   clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model6 with function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant5 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant2 with function Model0.model = Model6.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant2.invariant',
-  function Model0.model = Model6.model
   clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
   function IndexLogic0.index_logic = IndexLogic0.index_logic
   clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
   function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_lit_lit,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicClause_Impl0_Model as Model5 with function Model0.model = Model8.model
+  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner1 with function Model0.model = Model5.model,
+  predicate SatInner0.sat_inner = SatInner0.sat_inner
+  clone CreuSat_Logic_Logic_Unset as Unset0
+  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant6 with function Model0.model = Model6.model,
+  function Model1.model = Model5.model
   clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model6.model,
+  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model5.model,
   function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
   predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model6.model,
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model5.model,
   function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant6 with function Model0.model = Model5.model,
-  function Model1.model = Model6.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant4 with predicate Invariant0.invariant' = Invariant5.invariant',
-  predicate Invariant1.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant4.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model5.model,
+  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model6.model,
   predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model2 with function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model5.model,
-  predicate Invariant0.invariant' = Invariant2.invariant', function Model1.model = Model6.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model2.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model0 with function Model0.model = Model4.model
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model0.model,
+  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant3 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant5 with predicate Invariant0.invariant' = Invariant3.invariant',
+  predicate Invariant1.invariant' = Invariant6.invariant'
+  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant5.invariant'
+  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
+  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
+  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model7 with function Model0.model = Model9.model
+  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model7.model,
   predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model5.model,
-  function Model1.model = Model6.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant3 with function Model0.model = Model0.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.creusat_trail_step,
+  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model6.model,
+  function Model1.model = Model5.model, predicate Sat0.sat = Sat0.sat
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = usize, type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model3.model,
+  predicate Sorted0.sorted = Sorted0.sorted
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_trail_step,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model1.model,
-  function Model1.model = Model0.model,
+  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model4.model,
+  function Model1.model = Model7.model,
   predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model1.model,
+  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model6.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic,
+  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
+  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model4.model,
   predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model1.model,
+  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model4.model,
   predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model3.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model0.model,
-  function Model1.model = Model1.model, predicate Invariant0.invariant' = Invariant4.invariant',
-  function Model2.model = Model3.model, function Model3.model = Model5.model,
+  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
+  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
+  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant4 with function Model0.model = Model7.model
+  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy1
+  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant3.invariant'
+  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
+  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
+  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
+  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
+  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model7.model,
+  function Model1.model = Model4.model, predicate Invariant0.invariant' = Invariant5.invariant',
+  function Model2.model = Model3.model, function Model3.model = Model6.model,
   predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
   predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
   predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
   predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
   predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
   clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model0.model = Model1.model,
+  predicate Invariant0.invariant' = Invariant4.invariant', function Model0.model = Model4.model,
   predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model3.model,
   predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
   predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model0.model,
+  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model7.model,
   predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
   predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
   predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
   predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
+  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant2 with function Model0.model = Model5.model,
+  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
+  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant2.invariant',
+  function Model0.model = Model5.model
+  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model2 with function Model0.model = Model6.model
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror as InvariantMirror0 with function Model0.model = Model6.model,
+  predicate Invariant0.invariant' = Invariant2.invariant', function Model1.model = Model5.model
+  clone CreusotContracts_Logic_Model_Impl0_Model as Model1 with type t = Type.creusat_clause_clause,
+  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model5.model
+  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
+  clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_formula_formula,
+  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model2.model
   clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model3.model, function Model1.model = Model1.model,
+  function Model0.model = Model3.model, function Model1.model = Model4.model,
   predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_trail_trail
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = uint8
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy1
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = usize
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  function Model0.model = Model2.model,
+  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
+  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy2 with type t = usize
   clone Core_Slice_Index_Impl2_Output as Output0 with type t = usize
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = usize
   clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = usize
   clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = usize
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model9 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model0.model
-  clone CreuSat_Lit_Impl1_PhaseSaved_Interface as PhaseSaved0 with function Model0.model = Model9.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model8 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model0.model
-  clone CreuSat_Assignments_Impl1_IndexMut_Interface as IndexMut1 with function Model0.model = Model8.model,
-  function Model1.model = Model0.model
-  clone Alloc_Vec_Impl1_Push_Interface as Push1 with type t = Type.creusat_trail_step, type a = Type.alloc_alloc_global,
-  function Model0.model = Model1.model
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_trail_step, type a = Type.alloc_alloc_global,
-  function Model0.model = Model1.model
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = usize, type i = usize,
+  clone CreuSat_Clause_Impl3_Len_Interface as Len0 with function Model0.model = Model1.model
+  clone Alloc_Vec_Impl16_Index_Interface as Index2 with type t = usize, type i = usize,
   type a = Type.alloc_alloc_global, function Model0.model = Model3.model,
   predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  clone Alloc_Vec_Impl1_Len_Interface as Len1 with type t = usize, type a = Type.alloc_alloc_global,
-  function Model0.model = Model3.model
-  clone Alloc_Vec_Impl1_Push_Interface as Push0 with type t = usize, type a = Type.alloc_alloc_global,
-  function Model0.model = Model3.model
-  let rec cfg enq_decision [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 278 4 278 60] (self : borrowed (Type.creusat_trail_trail)) (idx : usize) (_f : Type.creusat_formula_formula) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 268 4 268 31] Invariant0.invariant' _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 269 4 269 43] Invariant1.invariant' ( * self) _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 270 4 270 36] UInt64.to_int idx < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 271 4 271 49] Unset0.unset (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments ( * self))) (UInt64.to_int idx))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 275 4 275 78] LongArePostUnitInner0.long_are_post_unit_inner (Model1.model (Type.creusat_trail_trail_Trail_trail ( * self))) _f (Model0.model (Type.creusat_trail_trail_Trail_assignments ( * self)))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 269 4 269 43] Invariant1.invariant' ( ^ self) _f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 272 4 273 76] forall j : (int) . 0 <= j && j < Seq.length (Model0.model (Type.creusat_trail_trail_Trail_assignments ( * self))) && j <> UInt64.to_int idx -> Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments ( * self))) j = Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) j }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 274 4 274 88] UInt8.to_int (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) (UInt64.to_int idx)) = 1 || UInt8.to_int (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) (UInt64.to_int idx)) = 0 }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 276 4 276 87] LongArePostUnitInner0.long_are_post_unit_inner (Model1.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) _f (Model0.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 277 4 277 65] Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) = 1 + Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail ( * self))) }
-    
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_trail_trail);
-  var idx_2 : usize;
-  var _f_3 : Type.creusat_formula_formula;
-  var trail_len_4 : usize;
-  var _5 : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global);
-  var _6 : ();
-  var _7 : borrowed (Type.alloc_vec_vec usize (Type.alloc_alloc_global));
+  type Output0.output = Output0.output
+  clone CreuSat_Lit_Impl1_Index_Interface as Index1 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Clause_Impl0_Index_Interface as Index0 with function Model0.model = Model1.model
+  let rec cfg get_asserting_level [@cfg:stackify] [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 40 0 40 89] (clause : Type.creusat_clause_clause) (trail : Type.creusat_trail_trail) (f : Type.creusat_formula_formula) : (usize, usize)
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 32 0 32 26] Invariant0.invariant' f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 33 0 33 32] Invariant1.invariant' trail f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 34 0 34 49] EquisatExtensionInner0.equisat_extension_inner clause (Model0.model f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 35 0 35 42] Invariant2.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 36 0 36 32] Seq.length (Model1.model clause) > 1}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 37 0 37 54] VarsInRangeInner0.vars_in_range_inner (Model1.model clause) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 38 0 38 48] NoDuplicateIndexesInner0.no_duplicate_indexes_inner (Model1.model clause)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 39 0 39 39] UInt64.to_int (let (a, _) = result in a) < Seq.length (Model1.model clause) }
+    
+   = [@vc:do_not_keep_trace] [@vc:sp]
+  var _0 : (usize, usize);
+  var clause_1 : Type.creusat_clause_clause;
+  var trail_2 : Type.creusat_trail_trail;
+  var f_3 : Type.creusat_formula_formula;
+  var max_i_4 : usize;
+  var max_level_5 : usize;
+  var _6 : usize;
+  var _7 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
   var _8 : usize;
-  var dlevel_9 : usize;
-  var _10 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _11 : usize;
-  var _12 : borrowed usize;
-  var _13 : borrowed (Type.alloc_vec_vec usize (Type.alloc_alloc_global));
-  var _14 : usize;
-  var _15 : borrowed uint8;
-  var _16 : borrowed (Type.creusat_assignments_assignments);
+  var _9 : Type.creusat_lit_lit;
+  var _10 : Type.creusat_lit_lit;
+  var _11 : Type.creusat_clause_clause;
+  var i_12 : usize;
+  var _13 : ();
+  var _14 : ();
+  var _15 : bool;
+  var _16 : usize;
   var _17 : usize;
-  var lit_18 : Type.creusat_lit_lit;
-  var _19 : usize;
-  var _20 : Type.creusat_assignments_assignments;
-  var _21 : Type.creusat_assignments_assignments;
-  var step_22 : Type.creusat_trail_step;
+  var _18 : Type.creusat_clause_clause;
+  var level_19 : usize;
+  var _20 : usize;
+  var _21 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
+  var _22 : usize;
   var _23 : Type.creusat_lit_lit;
-  var _24 : usize;
-  var _25 : Type.creusat_trail_reason;
-  var _26 : ();
-  var _27 : borrowed (Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global));
-  var _28 : Type.creusat_trail_step;
-  var _29 : ();
-  var _30 : ();
-  var _31 : ();
-  var _32 : ();
+  var _24 : Type.creusat_lit_lit;
+  var _25 : Type.creusat_clause_clause;
+  var _26 : usize;
+  var _27 : ();
+  var _28 : bool;
+  var _29 : usize;
+  var _30 : usize;
+  var _31 : usize;
+  var _32 : usize;
+  var _33 : ();
+  var _34 : ();
+  var _35 : ();
+  var _36 : usize;
+  var _37 : usize;
   {
-    self_1 <- self;
-    idx_2 <- idx;
-    _f_3 <- _f;
+    clause_1 <- clause;
+    trail_2 <- trail;
+    f_3 <- f;
     goto BB0
   }
   BB0 {
-    _5 <- Type.creusat_trail_trail_Trail_trail ( * self_1);
-    trail_len_4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 279 24 279 40] Len0.len _5);
+    max_i_4 <- (1 : usize);
+    _7 <- Type.creusat_trail_trail_Trail_lit_to_level trail_2;
+    _11 <- clause_1;
+    _10 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 42 43 42 52] Index0.index _11 (1 : usize));
     goto BB1
   }
   BB1 {
-    _7 <- borrow_mut (Type.creusat_trail_trail_Trail_decisions ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Trail_Trail a b c d e =  * self_1 in Type.CreuSat_Trail_Trail a b c d ( ^ _7)) };
-    _8 <- trail_len_4;
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 280 8 280 38] Push0.push _7 _8);
+    _9 <- _10;
+    _8 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 42 43 42 60] Index1.index _9);
     goto BB2
   }
   BB2 {
-    _10 <- Type.creusat_trail_trail_Trail_decisions ( * self_1);
-    dlevel_9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 281 21 281 41] Len1.len _10);
+    _6 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 42 24 42 61] Index2.index _7 _8);
     goto BB3
   }
   BB3 {
-    _11 <- dlevel_9;
-    _13 <- borrow_mut (Type.creusat_trail_trail_Trail_lit_to_level ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Trail_Trail a b c d e =  * self_1 in Type.CreuSat_Trail_Trail a ( ^ _13) c d e) };
-    _14 <- idx_2;
-    _12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 282 8 282 30] IndexMut0.index_mut _13 _14);
+    max_level_5 <- _6;
+    i_12 <- (2 : usize);
     goto BB4
   }
   BB4 {
-    _12 <- { _12 with current = _11 };
-    assume { Resolve0.resolve _12 };
-    _16 <- borrow_mut (Type.creusat_trail_trail_Trail_assignments ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Trail_Trail a b c d e =  * self_1 in Type.CreuSat_Trail_Trail ( ^ _16) b c d e) };
-    _17 <- idx_2;
-    _15 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 283 8 283 29] IndexMut1.index_mut _16 _17);
+    invariant max_i_less { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 44 4 44 54] UInt64.to_int max_i_4 < Seq.length (Model1.model clause_1) };
+    _16 <- i_12;
+    _18 <- clause_1;
+    _17 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 45 14 45 26] Len0.len _18);
     goto BB5
   }
   BB5 {
-    _15 <- { _15 with current = ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 283 8 283 34]  * _15 - (2 : uint8)) };
-    assume { Resolve1.resolve _15 };
-    _19 <- idx_2;
-    _21 <- Type.creusat_trail_trail_Trail_assignments ( * self_1);
-    _20 <- _21;
-    lit_18 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 284 18 284 58] PhaseSaved0.phase_saved _19 _20);
-    goto BB6
+    _15 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 45 10 45 26] _16 < _17);
+    switch (_15)
+      | False -> goto BB13
+      | _ -> goto BB6
+      end
+  }
+  BB6 {
+    _21 <- Type.creusat_trail_trail_Trail_lit_to_level trail_2;
+    _25 <- clause_1;
+    _26 <- i_12;
+    _24 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 46 39 46 48] Index0.index _25 _26);
+    goto BB7
+  }
+  BB7 {
+    _23 <- _24;
+    _22 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 46 39 46 56] Index1.index _23);
+    goto BB8
+  }
+  BB8 {
+    _20 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 46 20 46 57] Index2.index _21 _22);
+    goto BB9
+  }
+  BB9 {
+    level_19 <- _20;
+    _29 <- level_19;
+    _30 <- max_level_5;
+    _28 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 47 11 47 28] _29 > _30);
+    switch (_28)
+      | False -> goto BB11
+      | _ -> goto BB10
+      end
+  }
+  BB10 {
+    _31 <- level_19;
+    max_level_5 <- _31;
+    _32 <- i_12;
+    max_i_4 <- _32;
+    _27 <- ();
+    goto BB12
   }
-  BB6 {
-    _23 <- lit_18;
-    _24 <- dlevel_9;
-    _25 <- Type.CreuSat_Trail_Reason_Decision;
-    step_22 <- Type.CreuSat_Trail_Step _23 _24 _25;
-    _27 <- borrow_mut (Type.creusat_trail_trail_Trail_trail ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Trail_Trail a b c d e =  * self_1 in Type.CreuSat_Trail_Trail a b ( ^ _27) d e) };
-    _28 <- step_22;
-    _26 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 288 8 288 29] Push1.push _27 _28);
-    goto BB7
+  BB11 {
+    _27 <- ();
+    goto BB12
   }
-  BB7 {
-    assume { Resolve2.resolve self_1 };
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 289 8 289 48] LitNotInLess0.lit_not_in_less ( * self_1) _f_3 };
-    _29 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 292 8 292 84] LongArePostUnitInner0.long_are_post_unit_inner (Model1.model (Type.creusat_trail_trail_Trail_trail ( * self_1))) _f_3 (Model0.model (Type.creusat_trail_trail_Trail_assignments ( * self_1))) };
-    _30 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 296 8 296 43] LitIsUnique0.lit_is_unique ( * self_1) };
-    _31 <- ();
-    assert { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 297 8 297 56] TrailEntriesAreAssigned0.trail_entries_are_assigned ( * self_1) };
-    _32 <- ();
-    _0 <- ();
+  BB12 {
+    i_12 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 51 8 51 14] i_12 + (1 : usize));
+    _14 <- ();
+    goto BB4
+  }
+  BB13 {
+    _13 <- ();
+    _36 <- max_i_4;
+    _37 <- max_level_5;
+    _0 <- (_36, _37);
     return _0
   }
   
 end
-module CreuSat_Solver_Impl0_OuterLoop_Interface
+module Core_Ops_Index_IndexMut_IndexMut_Interface
+  type self
+  type idx
+  use prelude.Prelude
+  clone Core_Ops_Index_Index_Output as Output0 with type self = self, type idx = idx
+  val index_mut [@cfg:stackify] (self : borrowed self) (index : idx) : borrowed Output0.output
+    requires {false}
+    
+end
+module CreuSat_Assignments_Impl1
+  use mach.int.Int
+  use prelude.Prelude
+  use prelude.UInt8
+  use Type
+  use mach.int.UInt64
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Assignments_Impl0_Output as Output0
+  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model1 with function Model0.model = Model2.model
+  clone CreusotContracts_Logic_Model_Impl1_Model as Model0 with type t = Type.creusat_assignments_assignments,
+  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
+  clone CreuSat_Assignments_Impl1_IndexMut_Interface as IndexMut0 with function Model0.model = Model0.model,
+  function Model1.model = Model1.model
+  clone Core_Ops_Index_IndexMut_IndexMut_Interface as IndexMut1 with type self = Type.creusat_assignments_assignments,
+  type idx = usize, val index_mut = IndexMut0.index_mut, type Output0.output = Output0.output
+end
+module CreuSat_Trail_Impl0_Backstep_Interface
+  use mach.int.UInt64
+  use mach.int.Int
+  use mach.int.Int32
+  use prelude.Prelude
+  use Type
+  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror_Interface as InvariantNoDecisionMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner_Interface as LongArePostUnitInner0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model1
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_trail_step,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision_Interface as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
+  axiom .
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val backstep [@cfg:stackify] (self : borrowed (Type.creusat_trail_trail)) (f : Type.creusat_formula_formula) : usize
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 58 4 58 30] Invariant0.invariant' f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 59 4 59 32] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) > 0}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 60 4 60 54] InvariantNoDecision0.invariant_no_decision ( * self) f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 61 4 61 77] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model (Type.creusat_trail_trail_Trail_trail ( * self))) f (Model1.model (Type.creusat_trail_trail_Trail_assignments ( * self)))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 60 4 60 54] InvariantNoDecision0.invariant_no_decision ( ^ self) f }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 62 4 62 86] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) f (Model1.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 63 4 63 37] UInt64.to_int result < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) }
+    
+end
+module CreuSat_Trail_Impl0_BacktrackTo_Interface
+  use seq.Seq
+  use mach.int.UInt64
+  use mach.int.Int
+  use prelude.Prelude
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner_Interface as LongArePostUnitInner0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model2
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.creusat_trail_step,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = usize, type a = Type.alloc_alloc_global,
+  axiom .
+  val backtrack_to [@cfg:stackify] (self : borrowed (Type.creusat_trail_trail)) (level : usize) (f : Type.creusat_formula_formula) (d : borrowed (Type.creusat_decision_decisions)) : ()
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 113 4 113 49] Seq.length (Model0.model (Type.creusat_trail_trail_Trail_decisions ( * self))) > UInt64.to_int level}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 114 4 114 30] Invariant0.invariant' f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 115 4 115 42] Invariant1.invariant' ( * self) f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 116 4 116 48] Invariant2.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 118 4 118 77] LongArePostUnitInner0.long_are_post_unit_inner (Model1.model (Type.creusat_trail_trail_Trail_trail ( * self))) f (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self)))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 115 4 115 42] Invariant1.invariant' ( ^ self) f }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 116 4 116 48] Invariant2.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 119 4 119 86] LongArePostUnitInner0.long_are_post_unit_inner (Model1.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) f (Model2.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) }
+    
+end
+module CreuSat_Trail_Impl0_BacktrackSafe_Interface
+  use mach.int.UInt64
+  use prelude.Prelude
+  use Type
+  use mach.int.Int
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner_Interface as LongArePostUnitInner0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model1
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_trail_step,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val backtrack_safe [@cfg:stackify] (self : borrowed (Type.creusat_trail_trail)) (level : usize) (f : Type.creusat_formula_formula) (d : borrowed (Type.creusat_decision_decisions)) : ()
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 101 4 101 30] Invariant0.invariant' f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 102 4 102 42] Invariant1.invariant' ( * self) f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 103 4 103 48] Invariant2.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 104 4 104 77] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model (Type.creusat_trail_trail_Trail_trail ( * self))) f (Model1.model (Type.creusat_trail_trail_Trail_assignments ( * self)))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 102 4 102 42] Invariant1.invariant' ( ^ self) f }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 103 4 103 48] Invariant2.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 105 4 105 86] LongArePostUnitInner0.long_are_post_unit_inner (Model0.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) f (Model1.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) }
+    
+end
+module CreuSat_Trail_Impl0_EnqAssignment_Interface
+  use mach.int.UInt64
+  use Type
+  use seq.Seq
+  use mach.int.Int
+  use mach.int.Int32
+  use prelude.Prelude
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToLit_Interface as ClausePostWithRegardsToLit0
+  clone CreuSat_Logic_LogicLit_Impl1_Sat_Interface as Sat0
+  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner_Interface as LongArePostUnitInner0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model3 with type t = Type.creusat_trail_step,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_Logic_Unset_Interface as Unset1
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model2
+  clone CreuSat_Logic_LogicLit_Impl1_IdxInTrail_Interface as IdxInTrail0
+  clone CreuSat_Logic_LogicLit_Impl1_Unsat_Interface as Unsat0
+  clone CreuSat_Logic_LogicLit_Impl1_Unset_Interface as Unset0
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl1_Invariant_Interface as Invariant3
+  clone CreuSat_Logic_LogicLit_Impl1_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant0
+  val enq_assignment [@cfg:stackify] (self : borrowed (Type.creusat_trail_trail)) (step : Type.creusat_trail_step) (_f : Type.creusat_formula_formula) : ()
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 211 4 211 43] Invariant0.invariant' ( * self) _f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 212 4 212 31] Invariant1.invariant' _f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 213 4 213 49] Invariant2.invariant' (Type.creusat_trail_step_Step_lit step) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 214 4 214 36] Invariant3.invariant' step _f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 215 4 228 7] match (Type.creusat_trail_step_Step_reason step) with
+      | Type.CreuSat_Trail_Reason_Long cref -> UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) /\ Unset0.unset (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int cref))) 0) (Type.creusat_trail_trail_Trail_assignments ( * self)) /\ (forall i : (int) . 1 <= i /\ i < Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int cref))) -> Unsat0.unsat (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int cref))) i) (Type.creusat_trail_trail_Trail_assignments ( * self))) /\ Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int cref))) 0 = Type.creusat_trail_step_Step_lit step
+      | Type.CreuSat_Trail_Reason_Unit cref -> UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) /\ Type.creusat_trail_step_Step_lit step = Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int cref))) 0
+      | _ -> true
+      end}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 229 4 229 51] not IdxInTrail0.idx_in_trail (Type.creusat_trail_step_Step_lit step) (Type.creusat_trail_trail_Trail_trail ( * self))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 230 4 230 67] Unset1.unset (Seq.get (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self))) (IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit step)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 231 4 231 78] LongArePostUnitInner0.long_are_post_unit_inner (Model3.model (Type.creusat_trail_trail_Trail_trail ( * self))) _f (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self)))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 211 4 211 43] Invariant0.invariant' ( ^ self) _f }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 232 4 233 94] forall j : (int) . 0 <= j /\ j < Seq.length (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self))) /\ j <> IndexLogic0.index_logic (Type.creusat_trail_step_Step_lit step) -> Seq.get (Model2.model (Type.creusat_trail_trail_Trail_assignments ( * self))) j = Seq.get (Model2.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) j }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 234 4 234 49] Sat0.sat (Type.creusat_trail_step_Step_lit step) (Type.creusat_trail_trail_Trail_assignments ( ^ self)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 235 4 235 87] LongArePostUnitInner0.long_are_post_unit_inner (Model3.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) _f (Model2.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 236 4 239 7] match (Type.creusat_trail_step_Step_reason step) with
+      | Type.CreuSat_Trail_Reason_Long k -> ClausePostWithRegardsToLit0.clause_post_with_regards_to_lit (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses _f)) (UInt64.to_int k)) (Type.creusat_trail_trail_Trail_assignments ( ^ self)) (Type.creusat_trail_step_Step_lit step)
+      | _ -> true
+      end }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 240 4 240 65] Seq.length (Model3.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) = 1 + Seq.length (Model3.model (Type.creusat_trail_trail_Trail_trail ( * self))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 241 4 241 51] Type.creusat_trail_trail_Trail_decisions ( ^ self) = Type.creusat_trail_trail_Trail_decisions ( * self) }
+    
+end
+module CreuSat_Solver_Impl0_HandleLongClause_Interface
   use mach.int.UInt64
   use mach.int.Int
   use prelude.Prelude
   use mach.int.Int32
+  use seq.Seq
   use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable_Interface as NotSatisfiable0
-  clone CreuSat_Logic_LogicAssignments_Impl1_Complete_Interface as Complete0
-  clone CreuSat_Logic_LogicFormula_Impl1_Sat_Interface as Sat0
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
+  clone CreuSat_Logic_LogicClause_EquisatExtensionInner_Interface as EquisatExtensionInner0
+  clone CreusotContracts_Logic_Model_Impl1_Model_Interface as Model0 with type t = Type.creusat_formula_formula,
+  type ModelTy0.modelTy = ModelTy0.modelTy
+  clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant4
   clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant3
   clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
   clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
   axiom .
-  val outer_loop [@cfg:stackify] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (d : borrowed (Type.creusat_decision_decisions)) (trail : borrowed (Type.creusat_trail_trail)) (w : borrowed (Type.creusat_watches_watches)) : Type.creusat_solver_satresult
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 262 4 262 37] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 263 4 263 46] Invariant1.invariant' ( * trail) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 264 4 264 42] Invariant2.invariant' ( * w) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 265 4 265 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 266 4 266 41] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 267 4 267 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 262 4 262 37] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 263 4 263 46] Invariant1.invariant' ( ^ trail) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 264 4 264 42] Invariant2.invariant' ( ^ w) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 265 4 265 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 268 4 268 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 269 4 269 29] Equisat0.equisat ( * f) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 270 4 276 7] match (result) with
-      | Type.CreuSat_Solver_SatResult_Sat _ -> Sat0.sat ( ^ f) (Type.creusat_trail_trail_Trail_assignments ( ^ trail)) && Complete0.complete (Type.creusat_trail_trail_Trail_assignments ( ^ trail))
-      | Type.CreuSat_Solver_SatResult_Unsat -> NotSatisfiable0.not_satisfiable ( ^ f)
-      | Type.CreuSat_Solver_SatResult_Unknown -> true
-      | Type.CreuSat_Solver_SatResult_Err -> true
-      end }
+  val handle_long_clause [@cfg:stackify] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (t : borrowed (Type.creusat_trail_trail)) (w : borrowed (Type.creusat_watches_watches)) (d : borrowed (Type.creusat_decision_decisions)) (clause : Type.creusat_clause_clause) (s_idx : usize) : ()
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 106 4 106 37] Invariant0.invariant' ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 107 4 107 42] Invariant1.invariant' ( * t) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 108 4 108 42] Invariant2.invariant' ( * w) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 109 4 109 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 110 4 110 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 111 4 111 46] Invariant4.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 112 4 112 52] EquisatExtensionInner0.equisat_extension_inner clause (Model0.model f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 113 4 113 36] Seq.length (Model1.model clause) > 1}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 114 4 114 41] UInt64.to_int s_idx < Seq.length (Model1.model clause)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 106 4 106 37] Invariant0.invariant' ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 107 4 107 42] Invariant1.invariant' ( ^ t) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 108 4 108 42] Invariant2.invariant' ( ^ w) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 109 4 109 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 115 4 115 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 116 4 116 29] Equisat0.equisat ( * f) ( ^ f) }
     
 end
-module CreuSat_Solver_Impl0_OuterLoop
+module CreuSat_Solver_Impl0_HandleLongClause
   use mach.int.UInt64
   use mach.int.Int
   use prelude.Prelude
   use mach.int.Int32
+  use seq.Seq
   use Type
   use prelude.UInt8
   clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model10 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model6 with function Model0.model = Model10.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model5 with function Model0.model = Model9.model
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant5 with function Model0.model = Model5.model
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
   clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
   function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner2 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner2.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner1 with function Model0.model = Model6.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat1 with function Model0.model = Model5.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant7 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant4 with function Model0.model = Model6.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant4.invariant',
-  function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model6.model,
+  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
   function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_watches_watcher,
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_lit_lit,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_clause_clause,
+  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model7.model
+  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model1.model,
+  predicate SatInner0.sat_inner = SatInner1.sat_inner
+  clone CreuSat_Logic_Logic_Unset as Unset0
+  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant8 with function Model0.model = Model7.model,
-  function Model1.model = Model6.model
+  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant8 with function Model0.model = Model8.model,
+  function Model1.model = Model1.model
+  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant7 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
+  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model1.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner1.sat_inner,
+  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model11 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model1.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model8.model,
+  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
   clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant6 with predicate Invariant0.invariant' = Invariant7.invariant',
   predicate Invariant1.invariant' = Invariant8.invariant'
   clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model7.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner0 with function Model0.model = Model7.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model7.model,
-  function Model1.model = Model6.model, predicate Sat0.sat = Sat1.sat
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model7.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model8.model,
-  function Model1.model = Model7.model, function Model2.model = Model6.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model0 with function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Sat as Sat0 with function Model0.model = Model0.model,
-  function Model1.model = Model5.model,
-  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model7.model,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model1.model = Model6.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model0.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_Logic_Unset as Unset0
+  clone CreuSat_Logic_LogicFormula_Impl2_SatInner as SatInner0 with function Model0.model = Model8.model,
+  predicate SatInner0.sat_inner = SatInner2.sat_inner
+  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner2.sat_inner
   clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss1 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss1.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicClause_Impl2_EquisatExtension as EquisatExtension0 with function Model0.model = Model0.model,
-  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable as NotSatisfiable0 with function Model0.model = Model6.model,
-  predicate EquisatExtension0.equisat_extension = EquisatExtension0.equisat_extension
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicAssignments_Impl1_Complete as Complete0 with function Model0.model = Model5.model,
-  predicate Unset0.unset = Unset0.unset
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_decision_node,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant3 with function Model0.model = Model4.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
+  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant7.invariant'
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model10 with type t = Type.creusat_watches_watcher,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant2 with function Model0.model = Model3.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_trail_step,
+  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model9 with function Model0.model = Model11.model
+  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model9.model,
+  predicate SatInner0.sat_inner = SatInner1.sat_inner
+  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model8.model,
+  function Model1.model = Model1.model, predicate Sat0.sat = Sat0.sat
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = usize, type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model3.model,
+  predicate Sorted0.sorted = Sorted0.sorted
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_trail_step,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model2.model,
-  function Model1.model = Model5.model,
+  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model4.model,
+  function Model1.model = Model9.model,
   predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model2.model,
+  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model8.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic,
+  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
+  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model4.model,
   predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model2.model,
+  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model4.model,
   predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model1.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model5.model,
-  function Model1.model = Model2.model, predicate Invariant0.invariant' = Invariant6.invariant',
-  function Model2.model = Model1.model, function Model3.model = Model7.model,
+  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
+  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
+  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant5 with function Model0.model = Model9.model
+  clone CreuSat_Logic_LogicFormula_Impl2_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss1 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
+  predicate SatInner0.sat_inner = SatInner0.sat_inner
+  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
+  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
+  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
+  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_decision_node,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model10.model,
+  function Model1.model = Model8.model, function Model2.model = Model1.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model9.model,
+  function Model1.model = Model4.model, predicate Invariant0.invariant' = Invariant6.invariant',
+  function Model2.model = Model3.model, function Model3.model = Model8.model,
   predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
   predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
   predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat1.sat, predicate Sorted0.sorted = Sorted0.sorted,
+  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
   predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
   clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant5.invariant', function Model0.model = Model2.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model1.model,
+  predicate Invariant0.invariant' = Invariant5.invariant', function Model0.model = Model4.model,
+  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model3.model,
   predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
   predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model5.model,
+  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model9.model,
   predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
   predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
   predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
   predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
+  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant4 with function Model0.model = Model1.model,
+  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
+  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant4.invariant',
+  function Model0.model = Model1.model
+  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model2 with function Model0.model = Model8.model
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror as InvariantMirror0 with function Model0.model = Model8.model,
+  predicate Invariant0.invariant' = Invariant4.invariant', function Model1.model = Model1.model
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss1.eventually_sat_complete_no_ass
+  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
+  clone CreusotContracts_Logic_Model_Impl1_Model as Model0 with type t = Type.creusat_formula_formula,
+  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model2.model
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant3 with function Model0.model = Model6.model
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant2 with function Model0.model = Model5.model,
+  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
   clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model1.model, function Model1.model = Model2.model,
+  function Model0.model = Model3.model, function Model1.model = Model4.model,
   predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  use mach.int.Int64
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve4 with type t = Type.creusat_trail_trail
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve3 with type t = Type.creusat_formula_formula
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_decision_decisions
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_watches_watches
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_solver_solver
-  clone Alloc_Vec_Impl0_New_Interface as New0 with type t = uint8, function Model0.model = Model9.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model11 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model5.model
-  clone CreuSat_Formula_Impl2_IsSat_Interface as IsSat0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant5.invariant', predicate Sat0.sat = Sat0.sat,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_Decision_Impl1_GetNext_Interface as GetNext0 with predicate Invariant0.invariant' = Invariant3.invariant',
-  predicate Invariant1.invariant' = Invariant5.invariant', function Model0.model = Model11.model,
-  predicate Unset0.unset = Unset0.unset, predicate Complete0.complete = Complete0.complete
-  clone CreuSat_Trail_Impl0_DecisionLevel_Interface as DecisionLevel0 with function Model0.model = Model1.model
-  clone CreuSat_Trail_Impl0_EnqDecision_Interface as EnqDecision0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', function Model0.model = Model5.model,
-  predicate Unset0.unset = Unset0.unset, function Model1.model = Model2.model,
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  function Model0.model = Model2.model,
+  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
+  clone CreuSat_Logic_LogicClause_Impl2_VarsInRange as VarsInRange0 with function Model0.model = Model1.model,
+  predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner
+  clone CreuSat_Logic_LogicLit_Impl1_UnsetInner as UnsetInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicClause_Impl2_UnitInner as UnitInner0 with predicate VarsInRange0.vars_in_range = VarsInRange0.vars_in_range,
+  predicate SatInner0.sat_inner = SatInner2.sat_inner, function Model0.model = Model1.model,
+  predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner
+  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToLit as ClausePostWithRegardsToLit0 with function Model0.model = Model9.model,
+  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
+  clone CreuSat_Logic_LogicLit_Impl1_IdxInTrail as IdxInTrail0 with function Model0.model = Model4.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicLit_Impl1_Unsat as Unsat0 with function Model0.model = Model9.model,
+  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
+  clone CreuSat_Logic_LogicLit_Impl1_Unset as Unset1 with function Model0.model = Model9.model,
+  predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner
+  clone CreuSat_Logic_LogicClause_Impl2_Unit as Unit0 with function Model0.model = Model9.model,
+  predicate UnitInner0.unit_inner = UnitInner0.unit_inner
+  clone CreusotContracts_Logic_Resolve_Impl2_Resolve as Resolve7 with type t = usize
+  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy1
+  clone CreusotContracts_Logic_Model_Impl0_Model as Model14 with type t = Type.creusat_clause_clause,
+  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model1.model
+  clone CreusotContracts_Logic_Model_Impl0_Model as Model13 with type t = Type.creusat_formula_formula,
+  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model2.model
+  clone CreuSat_Logic_LogicClause_Impl2_EquisatExtension as EquisatExtension0 with function Model0.model = Model2.model,
+  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner
+  clone CreusotContracts_Logic_Model_Impl1_Model as Model12 with type t = Type.creusat_clause_clause,
+  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model1.model
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve6 with type t = Type.creusat_solver_solver
+  clone CreuSat_Solver_Impl0_IncreaseNumConflicts_Interface as IncreaseNumConflicts0
+  clone CreuSat_Solver_Impl0_IncreaseNumLemmas_Interface as IncreaseNumLemmas0
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve5 with type t = Type.creusat_trail_trail
+  clone CreuSat_Trail_Impl0_EnqAssignment_Interface as EnqAssignment0 with predicate Invariant0.invariant' = Invariant1.invariant',
+  predicate Invariant1.invariant' = Invariant0.invariant', predicate Invariant2.invariant' = Invariant7.invariant',
+  predicate Invariant3.invariant' = Invariant6.invariant', function Model0.model = Model8.model,
+  function Model1.model = Model1.model, predicate Unset0.unset = Unset1.unset, predicate Unsat0.unsat = Unsat0.unsat,
+  predicate IdxInTrail0.idx_in_trail = IdxInTrail0.idx_in_trail, function Model2.model = Model9.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate Unset1.unset = Unset0.unset,
+  function Model3.model = Model4.model,
   predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
+  predicate Sat0.sat = Sat0.sat,
+  predicate ClausePostWithRegardsToLit0.clause_post_with_regards_to_lit = ClausePostWithRegardsToLit0.clause_post_with_regards_to_lit,
   predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_Trail_Impl0_BacktrackTo_Interface as BacktrackTo0 with function Model0.model = Model1.model,
-  predicate Invariant0.invariant' = Invariant0.invariant', predicate Invariant1.invariant' = Invariant1.invariant',
-  predicate Invariant2.invariant' = Invariant3.invariant', function Model1.model = Model2.model,
-  function Model2.model = Model5.model,
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve4 with type t = Type.creusat_formula_formula
+  clone CreuSat_Clause_Impl3_UnitAndUnset_Interface as UnitAndUnset0 with function Model0.model = Model14.model,
+  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal,
+  predicate Invariant0.invariant' = Invariant5.invariant', predicate Unit0.unit = Unit0.unit,
+  predicate Unset0.unset = Unset1.unset
+  clone CreuSat_Clause_Impl0_Index_Interface as Index1 with function Model0.model = Model14.model
+  clone CreuSat_Formula_Impl0_Index_Interface as Index0 with function Model0.model = Model13.model
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve3 with type t = Type.creusat_decision_decisions
+  clone CreuSat_Trail_Impl0_BacktrackSafe_Interface as BacktrackSafe0 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant3.invariant',
+  function Model0.model = Model4.model, function Model1.model = Model9.model,
   predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
   predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_Formula_Impl2_ReduceDb_Interface as ReduceDb0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant2.invariant', predicate Invariant2.invariant' = Invariant1.invariant',
-  predicate Equisat0.equisat = Equisat0.equisat,
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_Solver_Impl0_UnitPropLoop_Interface as UnitPropLoop0 with predicate Invariant0.invariant' = Invariant0.invariant',
+  clone CreuSat_Util_UpdateSlow_Interface as UpdateSlow0
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = usize
+  clone CreuSat_Util_UpdateFast_Interface as UpdateFast0
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_watches_watches
+  clone CreuSat_Formula_Impl2_AddClause_Interface as AddClause0 with predicate Invariant0.invariant' = Invariant0.invariant',
   predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant2.invariant',
-  predicate Invariant3.invariant' = Invariant3.invariant',
-  predicate NotSatisfiable0.not_satisfiable = NotSatisfiable0.not_satisfiable,
-  predicate Equisat0.equisat = Equisat0.equisat,
+  function Model0.model = Model1.model, predicate Invariant3.invariant' = Invariant4.invariant',
+  function Model1.model = Model0.model,
+  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner,
+  predicate Equisat0.equisat = Equisat0.equisat, function Model2.model = Model8.model,
   predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg outer_loop [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 277 4 277 113] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (d : borrowed (Type.creusat_decision_decisions)) (trail : borrowed (Type.creusat_trail_trail)) (w : borrowed (Type.creusat_watches_watches)) : Type.creusat_solver_satresult
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 262 4 262 37] Invariant0.invariant' ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 263 4 263 46] Invariant1.invariant' ( * trail) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 264 4 264 42] Invariant2.invariant' ( * w) ( * f)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 265 4 265 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 266 4 266 41] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 267 4 267 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 262 4 262 37] Invariant0.invariant' ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 263 4 263 46] Invariant1.invariant' ( ^ trail) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 264 4 264 42] Invariant2.invariant' ( ^ w) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 265 4 265 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 268 4 268 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 269 4 269 29] Equisat0.equisat ( * f) ( ^ f) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 270 4 276 7] match (result) with
-      | Type.CreuSat_Solver_SatResult_Sat _ -> Sat0.sat ( ^ f) (Type.creusat_trail_trail_Trail_assignments ( ^ trail)) && Complete0.complete (Type.creusat_trail_trail_Trail_assignments ( ^ trail))
-      | Type.CreuSat_Solver_SatResult_Unsat -> NotSatisfiable0.not_satisfiable ( ^ f)
-      | Type.CreuSat_Solver_SatResult_Unknown -> true
-      | Type.CreuSat_Solver_SatResult_Err -> true
-      end }
-    
-   =
-  var _0 : Type.creusat_solver_satresult;
+  clone CreuSat_Clause_Impl3_CalcLbd_Interface as CalcLbd0 with function Model0.model = Model3.model,
+  predicate Invariant0.invariant' = Invariant4.invariant'
+  clone CreusotContracts_Logic_Resolve_Impl0_Resolve as Resolve0 with type t1 = usize, type t2 = usize,
+  predicate Resolve0.resolve = Resolve7.resolve, predicate Resolve1.resolve = Resolve7.resolve
+  clone CreuSat_Solver_GetAssertingLevel_Interface as GetAssertingLevel0 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant1.invariant', function Model0.model = Model13.model,
+  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner,
+  predicate Invariant2.invariant' = Invariant4.invariant', function Model1.model = Model14.model,
+  predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
+  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner,
+  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  clone CreuSat_Clause_Impl3_SwapLitsInClause_Interface as SwapLitsInClause0 with function Model0.model = Model12.model,
+  predicate Invariant0.invariant' = Invariant4.invariant',
+  predicate EquisatExtension0.equisat_extension = EquisatExtension0.equisat_extension,
+  function Model1.model = Model1.model
+  let rec cfg handle_long_clause [@cfg:stackify] [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 117 4 119 5] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (t : borrowed (Type.creusat_trail_trail)) (w : borrowed (Type.creusat_watches_watches)) (d : borrowed (Type.creusat_decision_decisions)) (clause : Type.creusat_clause_clause) (s_idx : usize) : ()
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 106 4 106 37] Invariant0.invariant' ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 107 4 107 42] Invariant1.invariant' ( * t) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 108 4 108 42] Invariant2.invariant' ( * w) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 109 4 109 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 110 4 110 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 111 4 111 46] Invariant4.invariant' clause (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 112 4 112 52] EquisatExtensionInner0.equisat_extension_inner clause (Model0.model f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 113 4 113 36] Seq.length (Model1.model clause) > 1}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 114 4 114 41] UInt64.to_int s_idx < Seq.length (Model1.model clause)}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 106 4 106 37] Invariant0.invariant' ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 107 4 107 42] Invariant1.invariant' ( ^ t) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 108 4 108 42] Invariant2.invariant' ( ^ w) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 109 4 109 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 115 4 115 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 116 4 116 29] Equisat0.equisat ( * f) ( ^ f) }
+    
+   = [@vc:do_not_keep_trace] [@vc:sp]
+  var _0 : ();
   var self_1 : borrowed (Type.creusat_solver_solver);
   var f_2 : borrowed (Type.creusat_formula_formula);
-  var d_3 : borrowed (Type.creusat_decision_decisions);
-  var trail_4 : borrowed (Type.creusat_trail_trail);
-  var w_5 : borrowed (Type.creusat_watches_watches);
-  var _6 : ();
-  var _7 : Type.core_option_option bool;
-  var _8 : borrowed (Type.creusat_solver_solver);
-  var _9 : borrowed (Type.creusat_formula_formula);
-  var _10 : borrowed (Type.creusat_decision_decisions);
-  var _11 : borrowed (Type.creusat_trail_trail);
-  var _12 : borrowed (Type.creusat_watches_watches);
-  var _13 : isize;
-  var _14 : ();
-  var _15 : ();
-  var slow_16 : usize;
-  var _17 : bool;
-  var _18 : usize;
-  var _19 : usize;
-  var _20 : bool;
-  var _21 : usize;
+  var t_3 : borrowed (Type.creusat_trail_trail);
+  var w_4 : borrowed (Type.creusat_watches_watches);
+  var d_5 : borrowed (Type.creusat_decision_decisions);
+  var clause_6 : Type.creusat_clause_clause;
+  var s_idx_7 : usize;
+  var _8 : ();
+  var _9 : borrowed (Type.creusat_clause_clause);
+  var _10 : Type.creusat_formula_formula;
+  var _11 : usize;
+  var idx_12 : usize;
+  var level_13 : usize;
+  var _14 : (usize, usize);
+  var _15 : Type.creusat_clause_clause;
+  var _16 : Type.creusat_clause_clause;
+  var _17 : Type.creusat_trail_trail;
+  var _18 : Type.creusat_formula_formula;
+  var _19 : ();
+  var _20 : borrowed (Type.creusat_clause_clause);
+  var _21 : Type.creusat_formula_formula;
   var _22 : usize;
-  var _23 : bool;
-  var _24 : ();
-  var _25 : bool;
-  var _26 : bool;
-  var _27 : usize;
-  var _28 : Type.creusat_trail_trail;
-  var _29 : bool;
-  var _30 : usize;
-  var _31 : usize;
-  var _32 : usize;
+  var lbd_23 : usize;
+  var _24 : Type.creusat_clause_clause;
+  var _25 : Type.creusat_formula_formula;
+  var _26 : borrowed (Type.creusat_solver_solver);
+  var _27 : Type.creusat_trail_trail;
+  var cref_28 : usize;
+  var _29 : borrowed (Type.creusat_formula_formula);
+  var _30 : Type.creusat_clause_clause;
+  var _31 : borrowed (Type.creusat_watches_watches);
+  var _32 : Type.creusat_trail_trail;
   var _33 : ();
-  var _34 : bool;
-  var _35 : usize;
+  var _34 : borrowed usize;
+  var _35 : borrowed usize;
   var _36 : usize;
   var _37 : ();
-  var _38 : borrowed (Type.creusat_formula_formula);
-  var _39 : borrowed (Type.creusat_watches_watches);
-  var _40 : Type.creusat_trail_trail;
-  var _41 : borrowed (Type.creusat_solver_solver);
-  var _42 : ();
-  var _43 : borrowed (Type.creusat_trail_trail);
+  var _38 : borrowed usize;
+  var _39 : borrowed usize;
+  var _40 : usize;
+  var _41 : ();
+  var _42 : borrowed (Type.creusat_trail_trail);
+  var _43 : usize;
   var _44 : Type.creusat_formula_formula;
   var _45 : borrowed (Type.creusat_decision_decisions);
-  var _46 : ();
-  var _47 : Type.core_option_option usize;
-  var _48 : borrowed (Type.creusat_decision_decisions);
-  var _49 : Type.creusat_assignments_assignments;
-  var _50 : Type.creusat_assignments_assignments;
-  var _51 : Type.creusat_formula_formula;
-  var _52 : isize;
-  var next_53 : usize;
-  var _54 : ();
-  var _55 : borrowed (Type.creusat_trail_trail);
+  var lit_46 : Type.creusat_lit_lit;
+  var _47 : Type.creusat_lit_lit;
+  var _48 : Type.creusat_clause_clause;
+  var _49 : Type.creusat_clause_clause;
+  var _50 : Type.creusat_formula_formula;
+  var _51 : usize;
+  var step_52 : Type.creusat_trail_step;
+  var _53 : Type.creusat_lit_lit;
+  var _54 : usize;
+  var _55 : Type.creusat_trail_reason;
   var _56 : usize;
-  var _57 : Type.creusat_formula_formula;
+  var _57 : ();
   var _58 : bool;
-  var _59 : Type.creusat_formula_formula;
-  var _60 : Type.creusat_assignments_assignments;
-  var _61 : Type.creusat_assignments_assignments;
-  var _62 : ();
-  var _63 : Type.alloc_vec_vec uint8 (Type.alloc_alloc_global);
-  var _64 : ();
+  var _59 : Type.creusat_clause_clause;
+  var _60 : Type.creusat_clause_clause;
+  var _61 : Type.creusat_formula_formula;
+  var _62 : usize;
+  var _63 : Type.creusat_assignments_assignments;
+  var _64 : Type.creusat_assignments_assignments;
+  var _65 : Type.creusat_formula_formula;
+  var _66 : ();
+  var _67 : borrowed (Type.creusat_trail_trail);
+  var _68 : Type.creusat_trail_step;
+  var _69 : Type.creusat_formula_formula;
+  var _70 : ();
+  var _71 : borrowed (Type.creusat_solver_solver);
+  var _72 : ();
+  var _73 : borrowed (Type.creusat_solver_solver);
   {
     self_1 <- self;
     f_2 <- f;
-    d_3 <- d;
-    trail_4 <- trail;
-    w_5 <- w;
+    t_3 <- t;
+    w_4 <- w;
+    d_5 <- d;
+    clause_6 <- clause;
+    s_idx_7 <- s_idx;
     goto BB0
   }
   BB0 {
-    _8 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _8) };
-    _9 <- borrow_mut ( * f_2);
-    f_2 <- { f_2 with current = ( ^ _9) };
-    _10 <- borrow_mut ( * d_3);
-    d_3 <- { d_3 with current = ( ^ _10) };
-    _11 <- borrow_mut ( * trail_4);
-    trail_4 <- { trail_4 with current = ( ^ _11) };
-    _12 <- borrow_mut ( * w_5);
-    w_5 <- { w_5 with current = ( ^ _12) };
-    _7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 278 14 278 49] UnitPropLoop0.unit_prop_loop _8 _9 _10 _11 _12);
     goto BB1
   }
   BB1 {
-    switch (_7)
-      | Type.Core_Option_Option_None -> goto BB5
-      | Type.Core_Option_Option_Some _ -> goto BB2
-      end
+    goto BB2
   }
   BB2 {
-    switch (Type.core_option_option_Some_0 _7)
-      | False -> goto BB4
-      | _ -> goto BB3
-      end
+    goto BB3
   }
   BB3 {
-    _6 <- ();
-    _18 <- Type.creusat_solver_solver_Solver_slow ( * self_1);
-    _20 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 283 34 283 48] (2 : usize) = (0 : usize));
-    assert { not _20 };
-    goto BB6
+    goto BB4
   }
   BB4 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve3.resolve f_2 };
-    assume { Resolve2.resolve d_3 };
-    assume { Resolve4.resolve trail_4 };
-    assume { Resolve1.resolve w_5 };
-    _0 <- Type.CreuSat_Solver_SatResult_Unsat;
-    goto BB34
+    _9 <- borrow_mut clause_6;
+    clause_6 <-  ^ _9;
+    _10 <-  * f_2;
+    _11 <- s_idx_7;
+    _8 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 120 8 120 47] SwapLitsInClause0.swap_lits_in_clause _9 _10 _11 (0 : usize));
+    goto BB5
   }
   BB5 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve3.resolve f_2 };
-    assume { Resolve2.resolve d_3 };
-    assume { Resolve4.resolve trail_4 };
-    assume { Resolve1.resolve w_5 };
-    _0 <- Type.CreuSat_Solver_SatResult_Err;
-    goto BB34
+    _16 <- clause_6;
+    _15 <- _16;
+    _17 <-  * t_3;
+    _18 <-  * f_2;
+    _14 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 121 27 121 61] GetAssertingLevel0.get_asserting_level _15 _17 _18);
+    goto BB6
   }
   BB6 {
-    _19 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 283 34 283 48] (18446744073709551615 : usize) / (2 : usize));
-    _17 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 283 22 283 48] _18 < _19);
-    switch (_17)
-      | False -> goto BB9
-      | _ -> goto BB7
-      end
+    idx_12 <- (let (a, _) = _14 in a);
+    level_13 <- (let (_, a) = _14 in a);
+    assume { Resolve0.resolve _14 };
+    _20 <- borrow_mut clause_6;
+    clause_6 <-  ^ _20;
+    _21 <-  * f_2;
+    _22 <- idx_12;
+    _19 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 122 8 122 45] SwapLitsInClause0.swap_lits_in_clause _20 _21 _22 (1 : usize));
+    goto BB7
   }
   BB7 {
-    _22 <- Type.creusat_solver_solver_Solver_slow ( * self_1);
-    _23 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 283 51 283 68] (100 : usize) = (0 : usize));
-    assert { not _23 };
+    _24 <- clause_6;
+    _25 <-  * f_2;
+    _26 <- borrow_mut ( * self_1);
+    self_1 <- { self_1 with current = ( ^ _26) };
+    _27 <-  * t_3;
+    lbd_23 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 125 18 125 45] CalcLbd0.calc_lbd _24 _25 _26 _27);
     goto BB8
   }
   BB8 {
-    _21 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 283 51 283 68] _22 / (100 : usize));
-    slow_16 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 283 51 283 74] _21 * (125 : usize));
-    goto BB10
+    _29 <- borrow_mut ( * f_2);
+    f_2 <- { f_2 with current = ( ^ _29) };
+    _30 <- clause_6;
+    _31 <- borrow_mut ( * w_4);
+    w_4 <- { w_4 with current = ( ^ _31) };
+    _32 <-  * t_3;
+    cref_28 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 126 19 126 45] AddClause0.add_clause _29 _30 _31 _32);
+    goto BB9
   }
   BB9 {
-    slow_16 <- Type.creusat_solver_solver_Solver_slow ( * self_1);
+    assume { Resolve1.resolve w_4 };
+    _35 <- borrow_mut (Type.creusat_solver_solver_Solver_fast ( * self_1));
+    self_1 <- { self_1 with current = (let Type.CreuSat_Solver_Solver a b c d e f g h =  * self_1 in Type.CreuSat_Solver_Solver a b c d e ( ^ _35) g h) };
+    _34 <- borrow_mut ( * _35);
+    _35 <- { _35 with current = ( ^ _34) };
+    _36 <- lbd_23;
+    _33 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 127 8 127 40] UpdateFast0.update_fast _34 _36);
     goto BB10
   }
   BB10 {
-    _28 <-  * trail_4;
-    _27 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 284 11 284 33] DecisionLevel0.decision_level _28);
-    goto BB14
+    assume { Resolve2.resolve _35 };
+    _39 <- borrow_mut (Type.creusat_solver_solver_Solver_slow ( * self_1));
+    self_1 <- { self_1 with current = (let Type.CreuSat_Solver_Solver a b c d e f g h =  * self_1 in Type.CreuSat_Solver_Solver a b c d e f ( ^ _39) h) };
+    _38 <- borrow_mut ( * _39);
+    _39 <- { _39 with current = ( ^ _38) };
+    _40 <- lbd_23;
+    _37 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 128 8 128 40] UpdateSlow0.update_slow _38 _40);
+    goto BB11
   }
   BB11 {
-    _25 <- false;
-    goto BB13
+    assume { Resolve2.resolve _39 };
+    _42 <- borrow_mut ( * t_3);
+    t_3 <- { t_3 with current = ( ^ _42) };
+    _43 <- level_13;
+    _44 <-  * f_2;
+    _45 <- borrow_mut ( * d_5);
+    d_5 <- { d_5 with current = ( ^ _45) };
+    _41 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 131 8 131 37] BacktrackSafe0.backtrack_safe _42 _43 _44 _45);
+    goto BB12
   }
   BB12 {
-    _30 <- Type.creusat_solver_solver_Solver_fast ( * self_1);
-    _31 <- slow_16;
-    _29 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 284 41 284 57] _30 > _31);
-    _25 <- _29;
+    assume { Resolve3.resolve d_5 };
+    _50 <-  * f_2;
+    _51 <- cref_28;
+    _49 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 133 18 133 25] Index0.index _50 _51);
     goto BB13
   }
   BB13 {
-    switch (_25)
-      | False -> goto BB21
-      | _ -> goto BB15
-      end
+    _48 <- _49;
+    _47 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 133 18 133 28] Index1.index _48 (0 : usize));
+    goto BB14
   }
   BB14 {
-    _26 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 284 11 284 37] _27 > (0 : usize));
-    switch (_26)
-      | False -> goto BB11
-      | _ -> goto BB12
-      end
-  }
-  BB15 {
-    _32 <- slow_16;
-    self_1 <- { self_1 with current = (let Type.CreuSat_Solver_Solver a b c d e f g h =  * self_1 in Type.CreuSat_Solver_Solver a b c d e _32 g h) };
-    _35 <- Type.creusat_solver_solver_Solver_num_lemmas ( * self_1);
-    _36 <- Type.creusat_solver_solver_Solver_max_lemmas ( * self_1);
-    _34 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 286 15 286 48] _35 > _36);
-    switch (_34)
-      | False -> goto BB18
-      | _ -> goto BB16
-      end
-  }
-  BB16 {
-    _38 <- borrow_mut ( * f_2);
-    f_2 <- { f_2 with current = ( ^ _38) };
-    _39 <- borrow_mut ( * w_5);
-    w_5 <- { w_5 with current = ( ^ _39) };
-    _40 <-  * trail_4;
-    _41 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _41) };
-    _37 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 287 16 287 42] ReduceDb0.reduceDB _38 _39 _40 _41);
-    goto BB17
-  }
-  BB17 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve w_5 };
-    _33 <- ();
-    goto BB19
-  }
-  BB18 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve w_5 };
-    _33 <- ();
-    goto BB19
-  }
-  BB19 {
-    _43 <- borrow_mut ( * trail_4);
-    trail_4 <- { trail_4 with current = ( ^ _43) };
-    _44 <-  * f_2;
-    _45 <- borrow_mut ( * d_3);
-    d_3 <- { d_3 with current = ( ^ _45) };
-    _42 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 289 12 289 39] BacktrackTo0.backtrack_to _43 (0 : usize) _44 _45);
-    goto BB20
-  }
-  BB20 {
-    _24 <- ();
-    goto BB22
-  }
-  BB21 {
-    assume { Resolve0.resolve self_1 };
-    assume { Resolve1.resolve w_5 };
-    _24 <- ();
-    goto BB22
-  }
-  BB22 {
-    _48 <- borrow_mut ( * d_3);
-    d_3 <- { d_3 with current = ( ^ _48) };
-    _50 <- Type.creusat_trail_trail_Trail_assignments ( * trail_4);
-    _49 <- _50;
-    _51 <-  * f_2;
-    _47 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 292 14 292 47] GetNext0.get_next _48 _49 _51);
-    goto BB23
-  }
-  BB23 {
-    assume { Resolve2.resolve d_3 };
-    switch (_47)
-      | Type.Core_Option_Option_None -> goto BB24
-      | Type.Core_Option_Option_Some _ -> goto BB26
-      end
-  }
-  BB24 {
-    _59 <-  * f_2;
-    assume { Resolve3.resolve f_2 };
-    _61 <- Type.creusat_trail_trail_Trail_assignments ( * trail_4);
-    assume { Resolve4.resolve trail_4 };
-    _60 <- _61;
-    _58 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 301 19 301 47] IsSat0.is_sat _59 _60);
-    goto BB28
-  }
-  BB25 {
-    assume { Resolve3.resolve f_2 };
-    assume { Resolve4.resolve trail_4 };
-    absurd
-  }
-  BB26 {
-    next_53 <- Type.core_option_option_Some_0 _47;
-    _55 <- borrow_mut ( * trail_4);
-    trail_4 <- { trail_4 with current = ( ^ _55) };
-    _56 <- next_53;
-    _57 <-  * f_2;
-    assume { Resolve3.resolve f_2 };
-    _54 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 294 16 294 43] EnqDecision0.enq_decision _55 _56 _57);
-    goto BB27
-  }
-  BB27 {
-    assume { Resolve4.resolve trail_4 };
-    _46 <- ();
-    _0 <- Type.CreuSat_Solver_SatResult_Unknown;
-    goto BB35
+    lit_46 <- _47;
+    _53 <- lit_46;
+    _54 <- level_13;
+    _56 <- cref_28;
+    _55 <- Type.CreuSat_Trail_Reason_Long _56;
+    step_52 <- Type.CreuSat_Trail_Step _53 _54 _55;
+    _61 <-  * f_2;
+    _62 <- cref_28;
+    _60 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 140 11 140 18] Index0.index _61 _62);
+    goto BB15
   }
-  BB28 {
+  BB15 {
+    _59 <- _60;
+    _64 <- Type.creusat_trail_trail_Trail_assignments ( * t_3);
+    _63 <- _64;
+    _65 <-  * f_2;
+    _58 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 140 11 140 52] UnitAndUnset0.unit_and_unset _59 _63 _65);
+    goto BB16
+  }
+  BB16 {
     switch (_58)
-      | False -> goto BB32
-      | _ -> goto BB29
+      | False -> goto BB19
+      | _ -> goto BB17
       end
   }
-  BB29 {
-    _63 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 302 42 302 52] New0.new ());
-    goto BB30
+  BB17 {
+    _67 <- borrow_mut ( * t_3);
+    t_3 <- { t_3 with current = ( ^ _67) };
+    _68 <- step_52;
+    _69 <-  * f_2;
+    assume { Resolve4.resolve f_2 };
+    _66 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 141 12 141 37] EnqAssignment0.enq_assignment _67 _68 _69);
+    goto BB18
   }
-  BB30 {
-    _0 <- Type.CreuSat_Solver_SatResult_Sat _63;
-    goto BB31
+  BB18 {
+    assume { Resolve5.resolve t_3 };
+    _57 <- ();
+    goto BB20
   }
-  BB31 {
-    goto BB33
+  BB19 {
+    assume { Resolve4.resolve f_2 };
+    assume { Resolve5.resolve t_3 };
+    _57 <- ();
+    goto BB20
   }
-  BB32 {
-    _0 <- Type.CreuSat_Solver_SatResult_Err;
-    goto BB33
+  BB20 {
+    _71 <- borrow_mut ( * self_1);
+    self_1 <- { self_1 with current = ( ^ _71) };
+    _70 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 144 8 144 34] IncreaseNumLemmas0.increase_num_lemmas _71);
+    goto BB21
   }
-  BB33 {
-    goto BB35
+  BB21 {
+    _73 <- borrow_mut ( * self_1);
+    self_1 <- { self_1 with current = ( ^ _73) };
+    _72 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 145 8 145 37] IncreaseNumConflicts0.increase_num_conflicts _73);
+    goto BB22
   }
-  BB34 {
-    goto BB35
+  BB22 {
+    assume { Resolve6.resolve self_1 };
+    _0 <- ();
+    goto BB23
   }
-  BB35 {
+  BB23 {
     return _0
   }
   
 end
-module CreuSat_Solver_Impl0_Inner_Interface
+module CreuSat_Trail_Impl0_LearnUnit_Interface
   use mach.int.UInt64
+  use seq.Seq
   use mach.int.Int
-  use prelude.Prelude
   use mach.int.Int32
   use Type
-  use prelude.UInt8
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable_Interface as NotSatisfiable0
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss_Interface as EventuallySatCompleteNoAss0
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner_Interface as SatInner0
-  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = uint8, type a = Type.alloc_alloc_global,
+  use prelude.Prelude
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicLit_Impl1_Sat_Interface as Sat0
+  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner_Interface as LongArePostUnitInner0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model3
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model2 with type t = Type.creusat_trail_step,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicClause_Impl2_Invariant_Interface as Invariant3
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant2 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
   axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant3
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant2
   clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant0
+  val learn_unit [@cfg:stackify] (self : borrowed (Type.creusat_trail_trail)) (cref : usize) (f : Type.creusat_formula_formula) (d : borrowed (Type.creusat_decision_decisions)) : Type.core_result_result () ()
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 302 4 302 42] Invariant0.invariant' ( * self) f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 303 4 303 48] Invariant1.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 304 4 304 30] Invariant2.invariant' f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 305 4 305 43] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 306 4 306 50] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) = 1}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 307 4 307 59] Invariant3.invariant' (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref)) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 313 4 313 77] LongArePostUnitInner0.long_are_post_unit_inner (Model2.model (Type.creusat_trail_trail_Trail_trail ( * self))) f (Model3.model (Type.creusat_trail_trail_Trail_assignments ( * self)))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 302 4 302 42] Invariant0.invariant' ( ^ self) f }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 303 4 303 48] Invariant1.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 310 4 312 70] match (result) with
+      | Type.Core_Result_Result_Err _ -> true
+      | Type.Core_Result_Result_Ok _ -> Sat0.sat (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) 0) (Type.creusat_trail_trail_Trail_assignments ( ^ self))
+      end }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 314 4 314 86] LongArePostUnitInner0.long_are_post_unit_inner (Model2.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) f (Model3.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) }
+    
+end
+module CreuSat_Solver_Impl0_HandleConflict_Interface
+  use mach.int.UInt64
+  use mach.int.Int
+  use prelude.Prelude
+  use mach.int.Int32
+  use seq.Seq
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_NotSatisfiable_Interface as NotSatisfiable0
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicClause_Impl2_Unsat_Interface as Unsat0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant3
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
   axiom .
-  val inner [@cfg:stackify] (self : borrowed (Type.creusat_solver_solver)) (formula : borrowed (Type.creusat_formula_formula)) (decisions : Type.creusat_decision_decisions) (trail : Type.creusat_trail_trail) (watches : Type.creusat_watches_watches) : Type.creusat_solver_satresult
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 313 4 313 50] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * formula)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 314 4 314 36] Invariant0.invariant' ( * formula)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 315 4 315 55] Invariant1.invariant' decisions (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * formula)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 316 4 316 42] Invariant2.invariant' trail ( * formula)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 317 4 317 44] Invariant3.invariant' watches ( * formula)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 318 4 318 55] Invariant1.invariant' decisions (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * formula)))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 319 4 323 7] match (result) with
-      | Type.CreuSat_Solver_SatResult_Sat v -> SatInner0.sat_inner ( ^ formula) (Model0.model v) && Equisat0.equisat ( * formula) ( ^ formula) && EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass ( * formula)
-      | Type.CreuSat_Solver_SatResult_Unsat -> NotSatisfiable0.not_satisfiable ( ^ formula) && Equisat0.equisat ( * formula) ( ^ formula)
-      | _ -> true
+  val handle_conflict [@cfg:stackify] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (t : borrowed (Type.creusat_trail_trail)) (cref : usize) (w : borrowed (Type.creusat_watches_watches)) (d : borrowed (Type.creusat_decision_decisions)) : Type.core_option_option bool
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 149 4 149 37] Invariant0.invariant' ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 150 4 150 42] Invariant1.invariant' ( * t) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 151 4 151 42] Invariant2.invariant' ( * w) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 152 4 152 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 153 4 153 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 154 4 154 43] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 155 4 155 57] Unsat0.unsat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref)) (Type.creusat_trail_trail_Trail_assignments ( * t))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 149 4 149 37] Invariant0.invariant' ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 150 4 150 42] Invariant1.invariant' ( ^ t) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 151 4 151 42] Invariant2.invariant' ( ^ w) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 152 4 152 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 156 4 156 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 157 4 157 29] Equisat0.equisat ( * f) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 158 4 162 7] match (result) with
+      | Type.Core_Option_Option_Some (False) -> NotSatisfiable0.not_satisfiable ( ^ f)
+      | Type.Core_Option_Option_Some (True) -> true
+      | Type.Core_Option_Option_None -> true
       end }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 324 4 324 41] Equisat0.equisat ( * formula) ( ^ formula) }
     
 end
-module CreuSat_Solver_Impl0_Inner
+module CreuSat_Solver_Impl0_HandleConflict
   use mach.int.UInt64
   use mach.int.Int
   use prelude.Prelude
   use mach.int.Int32
+  use seq.Seq
   use Type
   use prelude.UInt8
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
   clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
+  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic
   clone CreusotContracts_Std1_Vec_Impl0_Model as Model10 with type t = Type.creusat_lit_lit,
   type a = Type.alloc_alloc_global, axiom .
   clone CreuSat_Logic_LogicClause_Impl0_Model as Model7 with function Model0.model = Model10.model
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model7.model,
+  predicate SatInner0.sat_inner = SatInner1.sat_inner
+  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner2.sat_inner
   clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
   clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant7 with function IndexLogic0.index_logic = IndexLogic0.index_logic
   clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant4 with function Model0.model = Model7.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant4.invariant',
-  function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner2 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model7.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner2.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner1 with function Model0.model = Model7.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
+  clone CreuSat_Logic_Logic_Unset as Unset0
+  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
   clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss1 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
   predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss1.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model7.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_clause_clause,
+  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant8 with function Model0.model = Model6.model,
+  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant8 with function Model0.model = Model0.model,
   function Model1.model = Model7.model
+  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
+  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model7.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner1.sat_inner,
+  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
+  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model7.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model0.model,
+  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
   clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant6 with predicate Invariant0.invariant' = Invariant7.invariant',
   predicate Invariant1.invariant' = Invariant8.invariant'
   clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model6.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model6.model,
+  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
+  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
+  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss1.eventually_sat_complete_no_ass
+  clone CreuSat_Logic_LogicFormula_Impl2_SatInner as SatInner0 with function Model0.model = Model0.model,
+  predicate SatInner0.sat_inner = SatInner2.sat_inner
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_watches_watcher,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model6 with function Model0.model = Model9.model
+  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model6.model,
+  predicate SatInner0.sat_inner = SatInner1.sat_inner
+  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model0.model,
+  function Model1.model = Model7.model, predicate Sat0.sat = Sat0.sat
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = usize, type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model2.model,
+  predicate Sorted0.sorted = Sorted0.sorted
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_trail_step,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model3.model,
+  function Model1.model = Model6.model,
+  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
+  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model0.model,
   function IndexLogic0.index_logic = IndexLogic0.index_logic,
   predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model9.model,
-  function Model1.model = Model6.model, function Model2.model = Model7.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model1 with function Model0.model = Model6.model
+  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model3.model,
+  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
+  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model3.model,
+  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
+  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
+  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
+  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant5 with function Model0.model = Model6.model
+  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant4 with function Model0.model = Model7.model,
+  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
+  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model1 with function Model0.model = Model0.model
   clone CreuSat_Logic_LogicClause_Impl2_EquisatExtension as EquisatExtension0 with function Model0.model = Model1.model,
   predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable as NotSatisfiable0 with function Model0.model = Model7.model,
-  predicate EquisatExtension0.equisat_extension = EquisatExtension0.equisat_extension
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model6.model,
-  predicate Invariant0.invariant' = Invariant4.invariant', function Model1.model = Model7.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model1.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner0 with function Model0.model = Model6.model,
-  predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
+  clone CreuSat_Logic_LogicFormula_Impl2_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
   predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model8 with function Model0.model = Model0.model
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model8.model,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model6.model,
-  function Model1.model = Model7.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant5 with function Model0.model = Model8.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
+  clone CreuSat_Logic_LogicClause_Impl2_UnsatInner as UnsatInner0 with function Model0.model = Model7.model,
+  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_decision_node,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant3 with function Model0.model = Model5.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_trail_step,
+  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model8.model,
+  function Model1.model = Model0.model, function Model2.model = Model7.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model4.model,
-  function Model1.model = Model8.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model4.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model4.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model3.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model8.model,
-  function Model1.model = Model4.model, predicate Invariant0.invariant' = Invariant6.invariant',
-  function Model2.model = Model3.model, function Model3.model = Model6.model,
+  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model6.model,
+  function Model1.model = Model3.model, predicate Invariant0.invariant' = Invariant6.invariant',
+  function Model2.model = Model2.model, function Model3.model = Model0.model,
   predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
   predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
   predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
   predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
   predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
   clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant5.invariant', function Model0.model = Model4.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model3.model,
+  predicate Invariant0.invariant' = Invariant5.invariant', function Model0.model = Model3.model,
+  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model2.model,
   predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
   predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model8.model,
+  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model6.model,
   predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
   predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
   predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
   predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant2 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model3.model, function Model1.model = Model4.model,
+  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant4.invariant',
+  function Model0.model = Model7.model
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror as InvariantMirror0 with function Model0.model = Model0.model,
+  predicate Invariant0.invariant' = Invariant4.invariant', function Model1.model = Model7.model
+  clone CreuSat_Logic_LogicFormula_Impl2_NotSatisfiable as NotSatisfiable0 with function Model0.model = Model7.model,
+  predicate EquisatExtension0.equisat_extension = EquisatExtension0.equisat_extension
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
+  clone CreuSat_Logic_LogicClause_Impl2_Unsat as Unsat0 with function Model0.model = Model6.model,
+  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant3 with function Model0.model = Model5.model
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant2 with function Model0.model = Model4.model,
+  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
+  function Model0.model = Model2.model, function Model1.model = Model3.model,
   predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_decision_node,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant1 with function Model0.model = Model2.model
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  function Model0.model = Model1.model,
+  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
   use mach.int.Int64
-  clone CreusotContracts_Logic_Resolve_Impl2_Resolve as Resolve6 with type t = uint8
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve4 with type t = Type.creusat_formula_formula
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve3 with type t = Type.creusat_solver_solver
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_watches_watches
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_trail_trail
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_decision_decisions
-  clone CreusotContracts_Std1_Vec_Impl1_Resolve as Resolve5 with type t = uint8, function Model0.model = Model0.model,
-  predicate Resolve0.resolve = Resolve6.resolve
-  clone CreuSat_Logic_LogicAssignments_Impl1_Complete as Complete0 with function Model0.model = Model8.model,
-  predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicFormula_Impl1_Sat as Sat1 with function Model0.model = Model1.model,
-  function Model1.model = Model8.model,
-  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Solver_Impl0_OuterLoop_Interface as OuterLoop0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant2.invariant', predicate Invariant2.invariant' = Invariant3.invariant',
-  predicate Invariant3.invariant' = Invariant1.invariant', predicate Equisat0.equisat = Equisat0.equisat,
-  predicate Sat0.sat = Sat1.sat, predicate Complete0.complete = Complete0.complete,
+  clone CreuSat_Logic_LogicClause_Impl2_Equals as Equals0 with function Model0.model = Model7.model
+  clone CreuSat_Logic_LogicFormula_Equisat as Equisat1 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss1.eventually_sat_complete_no_ass
+  clone CreuSat_Logic_LogicFormula_Compatible as Compatible0 with predicate Equals0.equals = Equals0.equals
+  clone CreuSat_Logic_LogicFormula_EquisatCompatibleInner as EquisatCompatibleInner0 with predicate Compatible0.compatible = Compatible0.compatible,
+  predicate Equisat0.equisat = Equisat1.equisat
+  clone CreuSat_Logic_LogicFormula_Impl2_EquisatCompatible as EquisatCompatible0 with function Model0.model = Model1.model,
+  predicate EquisatCompatibleInner0.equisat_compatible_inner = EquisatCompatibleInner0.equisat_compatible_inner
+  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
+  clone CreusotContracts_Logic_Model_Impl1_Model as Model12 with type t = Type.creusat_formula_formula,
+  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
+  clone CreusotContracts_Logic_Model_Impl0_Model as Model11 with type t = Type.creusat_formula_formula,
+  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
+  clone CreuSat_Formula_Impl2_SimplifyFormula_Interface as SimplifyFormula0 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant2.invariant', predicate Invariant2.invariant' = Invariant1.invariant',
+  predicate Equisat0.equisat = Equisat0.equisat,
+  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  clone CreuSat_Formula_Impl2_ReduceDb_Interface as ReduceDb0 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant2.invariant', predicate Invariant2.invariant' = Invariant1.invariant',
+  predicate Equisat0.equisat = Equisat0.equisat,
+  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  clone CreuSat_Trail_Impl0_LearnUnit_Interface as LearnUnit0 with predicate Invariant0.invariant' = Invariant1.invariant',
+  predicate Invariant1.invariant' = Invariant3.invariant', predicate Invariant2.invariant' = Invariant0.invariant',
+  function Model0.model = Model0.model, function Model1.model = Model7.model,
+  predicate Invariant3.invariant' = Invariant4.invariant', function Model2.model = Model3.model,
+  function Model3.model = Model6.model,
+  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
+  predicate Sat0.sat = Sat0.sat, predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  clone CreuSat_Formula_Impl2_AddUnit_Interface as AddUnit0 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant1.invariant', function Model0.model = Model7.model,
+  predicate Invariant2.invariant' = Invariant4.invariant',
+  predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
+  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner,
+  function Model1.model = Model12.model,
+  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner,
+  predicate EquisatCompatible0.equisat_compatible = EquisatCompatible0.equisat_compatible,
+  predicate Equisat0.equisat = Equisat0.equisat, function Model2.model = Model0.model,
+  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  clone CreuSat_Solver_Impl0_HandleLongClause_Interface as HandleLongClause0 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant2.invariant',
+  predicate Invariant3.invariant' = Invariant3.invariant', predicate Invariant4.invariant' = Invariant4.invariant',
+  function Model0.model = Model12.model,
+  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner,
+  function Model1.model = Model7.model, predicate Equisat0.equisat = Equisat0.equisat,
+  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  clone CreuSat_Trail_Impl0_BacktrackSafe_Interface as BacktrackSafe0 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant3.invariant',
+  function Model0.model = Model3.model, function Model1.model = Model6.model,
+  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
+  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  clone CreuSat_Formula_Impl2_AddClause_Interface as AddClause0 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant2.invariant',
+  function Model0.model = Model7.model, predicate Invariant3.invariant' = Invariant4.invariant',
+  function Model1.model = Model12.model,
+  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner,
+  predicate Equisat0.equisat = Equisat0.equisat, function Model2.model = Model0.model,
+  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve4 with type t = Type.creusat_decision_decisions
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve3 with type t = Type.creusat_watches_watches
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_trail_trail
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_formula_formula
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_solver_solver
+  clone CreuSat_ConflictAnalysis_AnalyzeConflict_Interface as AnalyzeConflict0 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant1.invariant', function Model0.model = Model0.model,
+  predicate Unsat0.unsat = Unsat0.unsat, predicate Invariant2.invariant' = Invariant3.invariant',
   predicate NotSatisfiable0.not_satisfiable = NotSatisfiable0.not_satisfiable,
+  predicate Invariant3.invariant' = Invariant4.invariant', function Model1.model = Model7.model,
+  predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
+  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner,
+  function Model2.model = Model11.model,
+  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner,
   predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg inner [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 325 4 327 18] (self : borrowed (Type.creusat_solver_solver)) (formula : borrowed (Type.creusat_formula_formula)) (decisions : Type.creusat_decision_decisions) (trail : Type.creusat_trail_trail) (watches : Type.creusat_watches_watches) : Type.creusat_solver_satresult
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 313 4 313 50] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * formula)) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 314 4 314 36] Invariant0.invariant' ( * formula)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 315 4 315 55] Invariant1.invariant' decisions (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * formula)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 316 4 316 42] Invariant2.invariant' trail ( * formula)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 317 4 317 44] Invariant3.invariant' watches ( * formula)}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 318 4 318 55] Invariant1.invariant' decisions (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * formula)))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 319 4 323 7] match (result) with
-      | Type.CreuSat_Solver_SatResult_Sat v -> SatInner0.sat_inner ( ^ formula) (Model0.model v) && Equisat0.equisat ( * formula) ( ^ formula) && EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass ( * formula)
-      | Type.CreuSat_Solver_SatResult_Unsat -> NotSatisfiable0.not_satisfiable ( ^ formula) && Equisat0.equisat ( * formula) ( ^ formula)
-      | _ -> true
+  let rec cfg handle_conflict [@cfg:stackify] [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 163 4 165 21] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (t : borrowed (Type.creusat_trail_trail)) (cref : usize) (w : borrowed (Type.creusat_watches_watches)) (d : borrowed (Type.creusat_decision_decisions)) : Type.core_option_option bool
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 149 4 149 37] Invariant0.invariant' ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 150 4 150 42] Invariant1.invariant' ( * t) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 151 4 151 42] Invariant2.invariant' ( * w) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 152 4 152 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 153 4 153 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 154 4 154 43] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 155 4 155 57] Unsat0.unsat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref)) (Type.creusat_trail_trail_Trail_assignments ( * t))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 149 4 149 37] Invariant0.invariant' ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 150 4 150 42] Invariant1.invariant' ( ^ t) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 151 4 151 42] Invariant2.invariant' ( ^ w) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 152 4 152 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 156 4 156 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 157 4 157 29] Equisat0.equisat ( * f) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 158 4 162 7] match (result) with
+      | Type.Core_Option_Option_Some (False) -> NotSatisfiable0.not_satisfiable ( ^ f)
+      | Type.Core_Option_Option_Some (True) -> true
+      | Type.Core_Option_Option_None -> true
       end }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 324 4 324 41] Equisat0.equisat ( * formula) ( ^ formula) }
     
-   =
-  var _0 : Type.creusat_solver_satresult;
+   = [@vc:do_not_keep_trace] [@vc:sp]
+  var _0 : Type.core_option_option bool;
   var self_1 : borrowed (Type.creusat_solver_solver);
-  var formula_2 : borrowed (Type.creusat_formula_formula);
-  var decisions_3 : Type.creusat_decision_decisions;
-  var trail_4 : Type.creusat_trail_trail;
-  var watches_5 : Type.creusat_watches_watches;
-  ghost var old_f_6 : borrowed (Type.creusat_formula_formula);
-  var _7 : ();
-  var _8 : ();
-  var _9 : ();
-  var _10 : Type.creusat_solver_satresult;
-  var _11 : borrowed (Type.creusat_solver_solver);
-  var _12 : borrowed (Type.creusat_formula_formula);
-  var _13 : borrowed (Type.creusat_decision_decisions);
-  var _14 : borrowed (Type.creusat_decision_decisions);
-  var _15 : borrowed (Type.creusat_trail_trail);
-  var _16 : borrowed (Type.creusat_trail_trail);
-  var _17 : borrowed (Type.creusat_watches_watches);
-  var _18 : borrowed (Type.creusat_watches_watches);
-  var _19 : isize;
+  var f_2 : borrowed (Type.creusat_formula_formula);
+  var t_3 : borrowed (Type.creusat_trail_trail);
+  var cref_4 : usize;
+  var w_5 : borrowed (Type.creusat_watches_watches);
+  var d_6 : borrowed (Type.creusat_decision_decisions);
+  var res_7 : Type.creusat_conflictanalysis_conflict;
+  var _8 : Type.creusat_formula_formula;
+  var _9 : Type.creusat_trail_trail;
+  var _10 : usize;
+  var _11 : borrowed (Type.creusat_decision_decisions);
+  var _12 : ();
+  var _13 : isize;
+  var _14 : ();
+  var clause_15 : Type.creusat_clause_clause;
+  var cref_16 : usize;
+  var _17 : borrowed (Type.creusat_formula_formula);
+  var _18 : Type.creusat_clause_clause;
+  var _19 : Type.creusat_trail_trail;
   var _20 : ();
-  var _21 : Type.alloc_vec_vec uint8 (Type.alloc_alloc_global);
-  var o_22 : Type.creusat_solver_satresult;
-  var _23 : ();
+  var _21 : Type.core_result_result () ();
+  var _22 : borrowed (Type.creusat_trail_trail);
+  var _23 : usize;
+  var _24 : Type.creusat_formula_formula;
+  var _25 : borrowed (Type.creusat_decision_decisions);
+  var _26 : isize;
+  var _27 : ();
+  var _28 : ();
+  var _29 : borrowed (Type.creusat_formula_formula);
+  var _30 : borrowed (Type.creusat_watches_watches);
+  var _31 : Type.creusat_trail_trail;
+  var _32 : borrowed (Type.creusat_solver_solver);
+  var _33 : ();
+  var _34 : borrowed (Type.creusat_formula_formula);
+  var _35 : borrowed (Type.creusat_watches_watches);
+  var _36 : Type.creusat_trail_trail;
+  var s_idx_37 : usize;
+  var clause_38 : Type.creusat_clause_clause;
+  var _39 : ();
+  var _40 : borrowed (Type.creusat_solver_solver);
+  var _41 : borrowed (Type.creusat_formula_formula);
+  var _42 : borrowed (Type.creusat_trail_trail);
+  var _43 : borrowed (Type.creusat_watches_watches);
+  var _44 : borrowed (Type.creusat_decision_decisions);
+  var _45 : Type.creusat_clause_clause;
+  var _46 : usize;
+  var clause_47 : Type.creusat_clause_clause;
+  var _48 : usize;
+  var _49 : borrowed (Type.creusat_formula_formula);
+  var _50 : Type.creusat_clause_clause;
+  var _51 : borrowed (Type.creusat_watches_watches);
+  var _52 : Type.creusat_trail_trail;
+  var _53 : ();
+  var _54 : borrowed (Type.creusat_trail_trail);
+  var _55 : Type.creusat_formula_formula;
+  var _56 : borrowed (Type.creusat_decision_decisions);
   {
     self_1 <- self;
-    formula_2 <- formula;
-    decisions_3 <- decisions;
-    trail_4 <- trail;
-    watches_5 <- watches;
+    f_2 <- f;
+    t_3 <- t;
+    cref_4 <- cref;
+    w_5 <- w;
+    d_6 <- d;
     goto BB0
   }
   BB0 {
+    _8 <-  * f_2;
+    _9 <-  * t_3;
+    _10 <- cref_4;
+    _11 <- borrow_mut ( * d_6);
+    d_6 <- { d_6 with current = ( ^ _11) };
+    res_7 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 166 18 166 49] AnalyzeConflict0.analyze_conflict _8 _9 _10 _11);
     goto BB1
   }
   BB1 {
-    goto BB2
+    switch (res_7)
+      | Type.CreuSat_ConflictAnalysis_Conflict_Ground -> goto BB4
+      | Type.CreuSat_ConflictAnalysis_Conflict_Unit _ -> goto BB5
+      | Type.CreuSat_ConflictAnalysis_Conflict_Learned _ _ -> goto BB14
+      | Type.CreuSat_ConflictAnalysis_Conflict_Restart _ -> goto BB2
+      end
   }
   BB2 {
-    goto BB3
+    assume { Resolve0.resolve self_1 };
+    clause_47 <- Type.creusat_conflictanalysis_conflict_Restart_0 res_7;
+    _49 <- borrow_mut ( * f_2);
+    f_2 <- { f_2 with current = ( ^ _49) };
+    _50 <- clause_47;
+    _51 <- borrow_mut ( * w_5);
+    w_5 <- { w_5 with current = ( ^ _51) };
+    _52 <-  * t_3;
+    _48 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 187 16 187 42] AddClause0.add_clause _49 _50 _51 _52);
+    goto BB17
   }
   BB3 {
-    goto BB4
+    assume { Resolve0.resolve self_1 };
+    assume { Resolve1.resolve f_2 };
+    assume { Resolve2.resolve t_3 };
+    assume { Resolve3.resolve w_5 };
+    assume { Resolve4.resolve d_6 };
+    absurd
   }
   BB4 {
-    _7 <- ();
-    old_f_6 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 328 20 328 38] formula_2);
-    goto BB5
+    assume { Resolve0.resolve self_1 };
+    assume { Resolve1.resolve f_2 };
+    assume { Resolve2.resolve t_3 };
+    assume { Resolve3.resolve w_5 };
+    assume { Resolve4.resolve d_6 };
+    _0 <- Type.Core_Option_Option_Some false;
+    goto BB23
   }
   BB5 {
+    clause_15 <- Type.creusat_conflictanalysis_conflict_Unit_0 res_7;
+    _17 <- borrow_mut ( * f_2);
+    f_2 <- { f_2 with current = ( ^ _17) };
+    _18 <- clause_15;
+    _19 <-  * t_3;
+    cref_16 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 175 27 175 48] AddUnit0.add_unit _17 _18 _19);
     goto BB6
   }
   BB6 {
+    _22 <- borrow_mut ( * t_3);
+    t_3 <- { t_3 with current = ( ^ _22) };
+    _23 <- cref_16;
+    _24 <-  * f_2;
+    _25 <- borrow_mut ( * d_6);
+    d_6 <- { d_6 with current = ( ^ _25) };
+    _21 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 176 22 176 46] LearnUnit0.learn_unit _22 _23 _24 _25);
     goto BB7
   }
   BB7 {
-    goto BB8
-  }
-  BB8 {
-    goto BB9
-  }
-  BB9 {
-    invariant equi { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 329 8 329 59] Equisat0.equisat ( * old_f_6) ( * formula_2) };
-    invariant num_vars { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 330 8 330 68] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * formula_2)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * old_f_6)) };
-    invariant maintains_f { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 331 8 331 54] Invariant0.invariant' ( * formula_2) };
-    invariant maintains_t { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 332 8 332 60] Invariant2.invariant' trail_4 ( * formula_2) };
-    invariant maintains_w { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 333 8 333 62] Invariant3.invariant' watches_5 ( * formula_2) };
-    invariant maintains_d { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 334 8 334 73] Invariant1.invariant' decisions_3 (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * formula_2))) };
-    invariant proph_f { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 335 8 335 57]  ^ formula_2 =  ^ old_f_6 };
-    _11 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _11) };
-    _12 <- borrow_mut ( * formula_2);
-    formula_2 <- { formula_2 with current = ( ^ _12) };
-    _14 <- borrow_mut decisions_3;
-    decisions_3 <-  ^ _14;
-    _13 <- borrow_mut ( * _14);
-    _14 <- { _14 with current = ( ^ _13) };
-    _16 <- borrow_mut trail_4;
-    trail_4 <-  ^ _16;
-    _15 <- borrow_mut ( * _16);
-    _16 <- { _16 with current = ( ^ _15) };
-    _18 <- borrow_mut watches_5;
-    watches_5 <-  ^ _18;
-    _17 <- borrow_mut ( * _18);
-    _18 <- { _18 with current = ( ^ _17) };
-    _10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 337 18 337 84] OuterLoop0.outer_loop _11 _12 _13 _15 _17);
-    goto BB10
+    assume { Resolve4.resolve d_6 };
+    switch (_21)
+      | Type.Core_Result_Result_Ok _ -> goto BB8
+      | Type.Core_Result_Result_Err _ -> goto BB10
+      end
+  }
+  BB8 {
+    _20 <- ();
+    _29 <- borrow_mut ( * f_2);
+    f_2 <- { f_2 with current = ( ^ _29) };
+    _30 <- borrow_mut ( * w_5);
+    w_5 <- { w_5 with current = ( ^ _30) };
+    _31 <-  * t_3;
+    _32 <- borrow_mut ( * self_1);
+    self_1 <- { self_1 with current = ( ^ _32) };
+    _28 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 180 16 180 38] ReduceDb0.reduceDB _29 _30 _31 _32);
+    goto BB11
+  }
+  BB9 {
+    assume { Resolve0.resolve self_1 };
+    assume { Resolve1.resolve f_2 };
+    assume { Resolve2.resolve t_3 };
+    assume { Resolve3.resolve w_5 };
+    absurd
   }
   BB10 {
-    assume { Resolve0.resolve _14 };
-    assume { Resolve1.resolve _16 };
-    assume { Resolve2.resolve _18 };
-    switch (_10)
-      | Type.CreuSat_Solver_SatResult_Sat _ -> goto BB13
-      | Type.CreuSat_Solver_SatResult_Unknown -> goto BB12
-      | _ -> goto BB11
-      end
+    assume { Resolve0.resolve self_1 };
+    assume { Resolve1.resolve f_2 };
+    assume { Resolve2.resolve t_3 };
+    assume { Resolve3.resolve w_5 };
+    _0 <- Type.Core_Option_Option_Some true;
+    goto BB22
   }
   BB11 {
-    assume { Resolve3.resolve self_1 };
-    assume { Resolve4.resolve formula_2 };
-    o_22 <- _10;
-    _0 <- o_22;
-    goto BB16
+    assume { Resolve0.resolve self_1 };
+    _34 <- borrow_mut ( * f_2);
+    f_2 <- { f_2 with current = ( ^ _34) };
+    _35 <- borrow_mut ( * w_5);
+    w_5 <- { w_5 with current = ( ^ _35) };
+    _36 <-  * t_3;
+    assume { Resolve2.resolve t_3 };
+    _33 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 181 16 181 40] SimplifyFormula0.simplify_formula _34 _35 _36);
+    goto BB12
   }
   BB12 {
-    _9 <- ();
-    goto BB15
+    assume { Resolve1.resolve f_2 };
+    assume { Resolve3.resolve w_5 };
+    _12 <- ();
+    goto BB13
   }
   BB13 {
-    assume { Resolve3.resolve self_1 };
-    assume { Resolve4.resolve formula_2 };
-    assume { Resolve5.resolve _21 };
-    _21 <- Type.creusat_assignments_assignments_Assignments_0 (Type.creusat_trail_trail_Trail_assignments trail_4);
-    _0 <- Type.CreuSat_Solver_SatResult_Sat _21;
-    goto BB14
+    goto BB20
   }
   BB14 {
-    goto BB17
+    s_idx_37 <- Type.creusat_conflictanalysis_conflict_Learned_0 res_7;
+    clause_38 <- Type.creusat_conflictanalysis_conflict_Learned_1 res_7;
+    _40 <- borrow_mut ( * self_1);
+    self_1 <- { self_1 with current = ( ^ _40) };
+    _41 <- borrow_mut ( * f_2);
+    f_2 <- { f_2 with current = ( ^ _41) };
+    _42 <- borrow_mut ( * t_3);
+    t_3 <- { t_3 with current = ( ^ _42) };
+    _43 <- borrow_mut ( * w_5);
+    w_5 <- { w_5 with current = ( ^ _43) };
+    _44 <- borrow_mut ( * d_6);
+    d_6 <- { d_6 with current = ( ^ _44) };
+    _45 <- clause_38;
+    _46 <- s_idx_37;
+    _39 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 184 16 184 66] HandleLongClause0.handle_long_clause _40 _41 _42 _43 _44 _45 _46);
+    goto BB15
   }
   BB15 {
-    goto BB9
+    assume { Resolve0.resolve self_1 };
+    assume { Resolve1.resolve f_2 };
+    assume { Resolve2.resolve t_3 };
+    assume { Resolve3.resolve w_5 };
+    assume { Resolve4.resolve d_6 };
+    _12 <- ();
+    goto BB16
   }
   BB16 {
-    goto BB17
+    goto BB20
   }
   BB17 {
+    assume { Resolve3.resolve w_5 };
+    _54 <- borrow_mut ( * t_3);
+    t_3 <- { t_3 with current = ( ^ _54) };
+    _55 <-  * f_2;
+    assume { Resolve1.resolve f_2 };
+    _56 <- borrow_mut ( * d_6);
+    d_6 <- { d_6 with current = ( ^ _56) };
+    _53 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 188 16 188 41] BacktrackSafe0.backtrack_safe _54 (0 : usize) _55 _56);
     goto BB18
   }
   BB18 {
+    assume { Resolve2.resolve t_3 };
+    assume { Resolve4.resolve d_6 };
+    _12 <- ();
     goto BB19
   }
   BB19 {
     goto BB20
   }
   BB20 {
+    _0 <- Type.Core_Option_Option_None;
     goto BB21
   }
   BB21 {
+    goto BB25
+  }
+  BB22 {
+    goto BB23
+  }
+  BB23 {
+    goto BB24
+  }
+  BB24 {
+    goto BB25
+  }
+  BB25 {
     return _0
   }
   
 end
-module CreuSat_Trail_Impl0_New_Interface
+module CreuSat_Util_MinLog_Interface
+  use mach.int.Int
+  function min_log (a : int) (b : int) : int
+end
+module CreuSat_Util_MinLog
+  use mach.int.Int
+  function min_log [#"/Users/xavier/Code/sat/CreuSAT/src/util.rs" 88 0 88 33] (a : int) (b : int) : int =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/util.rs" 87 0 87 8] if a <= b then a else b
+end
+module CreuSat_Util_Min_Interface
+  use mach.int.UInt64
+  use mach.int.Int
+  use prelude.Prelude
+  clone CreuSat_Util_MinLog_Interface as MinLog0
+  val min [@cfg:stackify] (a : usize) (b : usize) : usize
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/util.rs" 96 0 96 38] UInt64.to_int result = MinLog0.min_log (UInt64.to_int a) (UInt64.to_int b) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/util.rs" 97 0 97 38] UInt64.to_int a <= UInt64.to_int b -> UInt64.to_int result = UInt64.to_int a }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/util.rs" 98 0 98 37] UInt64.to_int b < UInt64.to_int a -> UInt64.to_int result = UInt64.to_int b }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/util.rs" 99 0 99 42] UInt64.to_int result <= UInt64.to_int b /\ UInt64.to_int result <= UInt64.to_int a }
+    
+end
+module CreuSat_Util_MaxLog_Interface
+  use mach.int.Int
+  function max_log (a : int) (b : int) : int
+end
+module CreuSat_Util_MaxLog
+  use mach.int.Int
+  function max_log [#"/Users/xavier/Code/sat/CreuSAT/src/util.rs" 109 0 109 33] (a : int) (b : int) : int =
+    [#"/Users/xavier/Code/sat/CreuSAT/src/util.rs" 108 0 108 8] if a >= b then a else b
+end
+module CreuSat_Util_Max_Interface
+  use mach.int.UInt64
+  use mach.int.Int
+  use prelude.Prelude
+  clone CreuSat_Util_MaxLog_Interface as MaxLog0
+  val max [@cfg:stackify] (a : usize) (b : usize) : usize
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/util.rs" 117 0 117 38] UInt64.to_int result = MaxLog0.max_log (UInt64.to_int a) (UInt64.to_int b) }
+    
+end
+module CreuSat_UnitProp_Swap_Interface
+  use mach.int.UInt64
+  use seq.Seq
+  use mach.int.Int
+  use mach.int.Int32
+  use seq.Permut
+  use prelude.Prelude
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicLit_Impl1_SatInner_Interface as SatInner0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model2
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val swap [@cfg:stackify] (f : borrowed (Type.creusat_formula_formula)) (trail : Type.creusat_trail_trail) (watches : Type.creusat_watches_watches) (cref : usize) (j : usize) (k : usize) : ()
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 52 0 52 33] Invariant0.invariant' ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 53 0 53 39] Invariant1.invariant' trail ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 54 0 54 41] Invariant2.invariant' watches ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 55 0 55 46] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) >= 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 56 0 56 39] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 57 0 57 46] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) > UInt64.to_int j}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 58 0 58 46] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) > UInt64.to_int k}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 59 0 59 69] not SatInner0.sat_inner (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) 0) (Model2.model (Type.creusat_trail_trail_Trail_assignments trail))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 52 0 52 33] Invariant0.invariant' ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 53 0 53 39] Invariant1.invariant' trail ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 54 0 54 41] Invariant2.invariant' watches ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 61 0 61 78] Permut.exchange (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int cref))) (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) (UInt64.to_int j) (UInt64.to_int k) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 62 0 62 41] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 63 0 63 55] Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) = Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 65 0 65 25] Equisat0.equisat ( * f) ( ^ f) }
+    
+end
+module CreuSat_Watches_UpdateWatch_Interface
+  use mach.int.UInt64
+  use mach.int.Int
+  use prelude.Prelude
+  use mach.int.Int32
+  use seq.Seq
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model3 with type t = Type.creusat_watches_watcher,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic_Interface as ToWatchidxLogic0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model2 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant0
+  val update_watch [@cfg:stackify] (f : Type.creusat_formula_formula) (trail : Type.creusat_trail_trail) (watches : borrowed (Type.creusat_watches_watches)) (cref : usize) (j : usize) (k : usize) (lit : Type.creusat_lit_lit) : ()
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 30 0 30 41] Invariant0.invariant' ( * watches) f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 31 0 31 40] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 32 0 32 44] IndexLogic0.index_logic lit < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 33 0 33 26] Invariant1.invariant' f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 34 0 34 32] Invariant2.invariant' trail f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 35 0 35 39] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 36 0 36 57] 0 <= UInt64.to_int k /\ UInt64.to_int k < Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 37 0 37 46] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses f)) (UInt64.to_int cref))) >= 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 38 0 38 70] Seq.length (Model3.model (Seq.get (Model2.model (Type.creusat_watches_watches_Watches_watches ( * watches))) (ToWatchidxLogic0.to_watchidx_logic lit))) > UInt64.to_int j}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 30 0 30 41] Invariant0.invariant' ( ^ watches) f }
+    
+end
+module CreuSat_UnitProp_CheckAndMoveWatch_Interface
+  use mach.int.UInt64
+  use mach.int.Int
+  use prelude.Prelude
+  use mach.int.Int32
+  use seq.Seq
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicLit_Impl1_Unsat_Interface as Unsat0
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model4 with type t = Type.creusat_watches_watcher,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic_Interface as ToWatchidxLogic0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model3 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicLit_Impl1_SatInner_Interface as SatInner0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model2
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model1
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val check_and_move_watch [@cfg:stackify] (f : borrowed (Type.creusat_formula_formula)) (trail : Type.creusat_trail_trail) (watches : borrowed (Type.creusat_watches_watches)) (cref : usize) (j : usize) (k : usize) (lit : Type.creusat_lit_lit) : bool
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 16 0 16 33] Invariant0.invariant' ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 17 0 17 36] Invariant1.invariant' trail ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 18 0 18 44] Invariant2.invariant' ( * watches) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 19 0 19 40] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 20 0 20 44] IndexLogic0.index_logic lit < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 21 0 21 69] not SatInner0.sat_inner (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) 0) (Model2.model (Type.creusat_trail_trail_Trail_assignments trail))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 22 0 22 39] UInt64.to_int cref < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 23 0 23 57] 2 <= UInt64.to_int k /\ UInt64.to_int k < Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 24 0 24 70] Seq.length (Model4.model (Seq.get (Model3.model (Type.creusat_watches_watches_Watches_watches ( * watches))) (ToWatchidxLogic0.to_watchidx_logic lit))) > UInt64.to_int j}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 16 0 16 33] Invariant0.invariant' ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 17 0 17 36] Invariant1.invariant' trail ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 18 0 18 44] Invariant2.invariant' ( ^ watches) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 25 0 25 41] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 26 0 26 25] Equisat0.equisat ( * f) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 27 0 27 55] Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) = Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 28 0 28 114] not result -> Unsat0.unsat (Seq.get (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int cref))) (UInt64.to_int k)) (Type.creusat_trail_trail_Trail_assignments trail) /\  ^ f =  * f /\  * watches =  ^ watches }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 29 0 29 75] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int cref))) = Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) }
+    
+end
+module CreuSat_UnitProp_ExistsNewWatchableLit_Interface
+  use mach.int.UInt64
+  use mach.int.Int
+  use prelude.Prelude
+  use mach.int.Int32
+  use seq.Seq
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicLit_Impl1_Unsat_Interface as Unsat0
+  clone CreuSat_Logic_LogicLit_Impl1_SatInner_Interface as SatInner0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model4
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model3
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model2 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.creusat_watches_watcher,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic_Interface as ToWatchidxLogic0
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val exists_new_watchable_lit [@cfg:stackify] (f : borrowed (Type.creusat_formula_formula)) (trail : Type.creusat_trail_trail) (watches : borrowed (Type.creusat_watches_watches)) (cref : usize) (j : usize) (lit : Type.creusat_lit_lit) : bool
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 86 0 86 33] Invariant0.invariant' ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 87 0 87 38] Invariant1.invariant' trail ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 88 0 88 44] Invariant2.invariant' ( * watches) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 89 0 89 40] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 90 0 90 63] ToWatchidxLogic0.to_watchidx_logic lit < Seq.length (Model0.model (Type.creusat_watches_watches_Watches_watches ( * watches)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 91 0 91 70] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_watches_watches_Watches_watches ( * watches))) (ToWatchidxLogic0.to_watchidx_logic lit))) > UInt64.to_int j}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 92 0 92 44] IndexLogic0.index_logic lit < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 93 0 93 39] UInt64.to_int cref < Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 94 0 94 46] Seq.length (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) >= 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 95 0 95 69] not SatInner0.sat_inner (Seq.get (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) 0) (Model4.model (Type.creusat_trail_trail_Trail_assignments trail))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 86 0 86 33] Invariant0.invariant' ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 87 0 87 38] Invariant1.invariant' trail ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 88 0 88 44] Invariant2.invariant' ( ^ watches) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 96 0 96 136] not result -> (forall m : (int) . 2 <= m /\ m < Seq.length (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) -> Unsat0.unsat (Seq.get (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) m) (Type.creusat_trail_trail_Trail_assignments trail)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 97 0 97 75] not result -> Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref)) = Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int cref)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 98 0 98 41] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 99 0 99 55] Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) = Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 100 0 100 25] Equisat0.equisat ( * f) ( ^ f) }
+    
+end
+module CreuSat_UnitProp_PropagateLitWithRegardToClause_Interface
+  use seq.Seq
+  use mach.int.Int
+  use mach.int.UInt64
+  use prelude.Prelude
+  use mach.int.Int32
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicClause_Impl2_Unsat_Interface as Unsat1
+  clone CreuSat_Logic_LogicFormula_Impl2_Unsat_Interface as Unsat0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model4 with type t = Type.creusat_trail_step,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicClause_Impl0_Model_Interface as Model3
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model2 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.creusat_watches_watcher,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicLit_Impl0_ToWatchidxLogic_Interface as ToWatchidxLogic0
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val propagate_lit_with_regard_to_clause [@cfg:stackify] (f : borrowed (Type.creusat_formula_formula)) (trail : borrowed (Type.creusat_trail_trail)) (watches : borrowed (Type.creusat_watches_watches)) (cref : usize) (lit : Type.creusat_lit_lit) (j : usize) : Type.core_result_result bool usize
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 149 0 149 33] Invariant0.invariant' ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 150 0 150 42] Invariant1.invariant' ( * trail) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 151 0 151 44] Invariant2.invariant' ( * watches) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 152 0 152 63] ToWatchidxLogic0.to_watchidx_logic lit < Seq.length (Model0.model (Type.creusat_watches_watches_Watches_watches ( * watches)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 153 0 153 70] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_watches_watches_Watches_watches ( * watches))) (ToWatchidxLogic0.to_watchidx_logic lit))) > UInt64.to_int j}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 154 0 154 40] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 155 0 155 44] IndexLogic0.index_logic lit < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 156 0 156 39] UInt64.to_int cref < Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 157 0 157 46] Seq.length (Model3.model (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( * f))) (UInt64.to_int cref))) >= 2}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 149 0 149 33] Invariant0.invariant' ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 150 0 150 42] Invariant1.invariant' ( ^ trail) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 151 0 151 44] Invariant2.invariant' ( ^ watches) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 158 0 158 49] Type.creusat_trail_trail_Trail_decisions ( ^ trail) = Type.creusat_trail_trail_Trail_decisions ( * trail) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 159 0 163 3] match (result) with
+      | Type.Core_Result_Result_Ok (True) -> true
+      | Type.Core_Result_Result_Ok (False) -> Seq.length (Model4.model (Type.creusat_trail_trail_Trail_trail ( ^ trail))) = Seq.length (Model4.model (Type.creusat_trail_trail_Trail_trail ( * trail)))
+      | Type.Core_Result_Result_Err n -> UInt64.to_int n < Seq.length (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) /\ Unsat0.unsat ( ^ f) (Type.creusat_trail_trail_Trail_assignments ( ^ trail)) /\ Unsat1.unsat (Seq.get (Model2.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int n)) (Type.creusat_trail_trail_Trail_assignments ( ^ trail))
+      end }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 164 0 164 41] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 165 0 165 25] Equisat0.equisat ( * f) ( ^ f) }
+    
+end
+module CreuSat_UnitProp_PropagateLiteral_Interface
+  use mach.int.UInt64
+  use mach.int.Int
   use prelude.Prelude
+  use mach.int.Int32
   use Type
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant2
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  use seq.Seq
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicClause_Impl2_Unsat_Interface as Unsat1
+  clone CreuSat_Logic_LogicFormula_Impl2_Unsat_Interface as Unsat0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
   axiom .
-  val new [@cfg:stackify] (f : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments) : Type.creusat_trail_trail
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 42 4 42 30] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 43 4 43 32] Invariant1.invariant' a f}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 44 4 44 36] Invariant2.invariant' result f }
+  val propagate_literal [@cfg:stackify] (f : borrowed (Type.creusat_formula_formula)) (trail : borrowed (Type.creusat_trail_trail)) (watches : borrowed (Type.creusat_watches_watches)) (lit : Type.creusat_lit_lit) : Type.core_result_result () usize
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 230 0 230 33] Invariant0.invariant' ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 231 0 231 42] Invariant1.invariant' ( * trail) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 232 0 232 44] Invariant2.invariant' ( * watches) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 233 0 233 40] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 234 0 234 44] IndexLogic0.index_logic lit < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 230 0 230 33] Invariant0.invariant' ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 231 0 231 42] Invariant1.invariant' ( ^ trail) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 232 0 232 44] Invariant2.invariant' ( ^ watches) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 235 0 238 3] match (result) with
+      | Type.Core_Result_Result_Ok () -> true
+      | Type.Core_Result_Result_Err n -> UInt64.to_int n < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) /\ Unsat0.unsat ( ^ f) (Type.creusat_trail_trail_Trail_assignments ( ^ trail)) /\ Unsat1.unsat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int n)) (Type.creusat_trail_trail_Trail_assignments ( ^ trail))
+      end }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 239 0 239 41] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 240 0 240 25] Equisat0.equisat ( * f) ( ^ f) }
+    
+end
+module CreuSat_UnitProp_UnitPropagate_Interface
+  use mach.int.UInt64
+  use mach.int.Int
+  use prelude.Prelude
+  use mach.int.Int32
+  use Type
+  use seq.Seq
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicClause_Impl2_Unsat_Interface as Unsat1
+  clone CreuSat_Logic_LogicFormula_Impl2_Unsat_Interface as Unsat0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val unit_propagate [@cfg:stackify] (f : borrowed (Type.creusat_formula_formula)) (trail : borrowed (Type.creusat_trail_trail)) (watches : borrowed (Type.creusat_watches_watches)) : Type.core_result_result () usize
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 280 0 280 33] Invariant0.invariant' ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 281 0 281 42] Invariant1.invariant' ( * trail) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 282 0 282 44] Invariant2.invariant' ( * watches) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 283 0 283 40] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 280 0 280 33] Invariant0.invariant' ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 281 0 281 42] Invariant1.invariant' ( ^ trail) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 282 0 282 44] Invariant2.invariant' ( ^ watches) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 284 0 287 3] match (result) with
+      | Type.Core_Result_Result_Ok () -> true
+      | Type.Core_Result_Result_Err n -> UInt64.to_int n < Seq.length (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) /\ Unsat0.unsat ( ^ f) (Type.creusat_trail_trail_Trail_assignments ( ^ trail)) /\ Unsat1.unsat (Seq.get (Model0.model (Type.creusat_formula_formula_Formula_clauses ( ^ f))) (UInt64.to_int n)) (Type.creusat_trail_trail_Trail_assignments ( ^ trail))
+      end }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 288 0 288 41] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/unit_prop.rs" 289 0 289 25] Equisat0.equisat ( * f) ( ^ f) }
     
 end
-module CreuSat_Trail_Impl0_New
+module CreuSat_Solver_Impl0_UnitPropStep_Interface
+  use mach.int.UInt64
+  use mach.int.Int
   use prelude.Prelude
+  use mach.int.Int32
   use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_NotSatisfiable_Interface as NotSatisfiable0
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant3
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val unit_prop_step [@cfg:stackify] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (d : borrowed (Type.creusat_decision_decisions)) (t : borrowed (Type.creusat_trail_trail)) (w : borrowed (Type.creusat_watches_watches)) : Type.creusat_solver_conflictresult
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 195 4 195 37] Invariant0.invariant' ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 196 4 196 42] Invariant1.invariant' ( * w) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 197 4 197 42] Invariant2.invariant' ( * t) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 198 4 198 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 199 4 199 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 195 4 195 37] Invariant0.invariant' ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 196 4 196 42] Invariant1.invariant' ( ^ w) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 197 4 197 42] Invariant2.invariant' ( ^ t) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 198 4 198 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 200 4 200 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 201 4 201 29] Equisat0.equisat ( * f) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 202 4 205 7] match (result) with
+      | Type.CreuSat_Solver_ConflictResult_Ground -> NotSatisfiable0.not_satisfiable ( ^ f)
+      | _ -> true
+      end }
+    
+end
+module CreuSat_Solver_Impl0_UnitPropStep
+  use mach.int.UInt64
   use mach.int.Int
+  use prelude.Prelude
+  use mach.int.Int32
+  use Type
   use prelude.UInt8
-  use mach.int.UInt64
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
+  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
+  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = Type.creusat_lit_lit,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicClause_Impl0_Model as Model5 with function Model0.model = Model9.model
+  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model5.model,
+  predicate SatInner0.sat_inner = SatInner1.sat_inner
+  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner2.sat_inner
   clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
   function IndexLogic0.index_logic = IndexLogic0.index_logic
   clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant5 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant5.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_lit_lit,
+  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant7 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant7.invariant'
+  clone CreuSat_Logic_Logic_Unset as Unset0
+  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
+  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss1 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
+  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
+  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model5 with function Model0.model = Model7.model
+  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant8 with function Model0.model = Model6.model,
+  function Model1.model = Model5.model
+  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
   clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model5.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner1.sat_inner,
   predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model10 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
   clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model5.model,
   function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant3 with function Model0.model = Model5.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant3.invariant',
-  function Model0.model = Model5.model
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model1 with function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model1.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant1 with function Model0.model = Model1.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant6 with function Model0.model = Model4.model,
-  function Model1.model = Model5.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant4 with predicate Invariant0.invariant' = Invariant5.invariant',
-  predicate Invariant1.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant4.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model4.model,
+  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model6.model,
   predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model4.model,
+  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant6 with predicate Invariant0.invariant' = Invariant7.invariant',
+  predicate Invariant1.invariant' = Invariant8.invariant'
+  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant6.invariant'
+  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
+  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
+  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss1.eventually_sat_complete_no_ass
+  clone CreuSat_Logic_LogicFormula_Impl2_SatInner as SatInner0 with function Model0.model = Model6.model,
+  predicate SatInner0.sat_inner = SatInner2.sat_inner
+  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model8 with function Model0.model = Model10.model
+  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model8.model,
+  predicate SatInner0.sat_inner = SatInner1.sat_inner
+  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model6.model,
   function Model1.model = Model5.model, predicate Sat0.sat = Sat0.sat
-  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model4.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model0 with function Model0.model = Model4.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model4.model,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model1.model = Model5.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model0.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = usize, type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model2.model,
+  predicate Sorted0.sorted = Sorted0.sorted
   clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_trail_step,
   type a = Type.alloc_alloc_global, axiom .
   clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model3.model,
-  function Model1.model = Model1.model,
+  function Model1.model = Model8.model,
   predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
+  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model6.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic,
+  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
   clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model3.model,
   predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
   clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model3.model,
   predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model2.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model1.model,
-  function Model1.model = Model3.model, predicate Invariant0.invariant' = Invariant4.invariant',
-  function Model2.model = Model2.model, function Model3.model = Model4.model,
+  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
+  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
+  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant5 with function Model0.model = Model8.model
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_watches_watcher,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant4 with function Model0.model = Model5.model,
+  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
+  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model0 with function Model0.model = Model6.model
+  clone CreuSat_Logic_LogicClause_Impl2_EquisatExtension as EquisatExtension0 with function Model0.model = Model0.model,
+  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner
+  clone CreuSat_Logic_LogicFormula_Impl2_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
+  predicate SatInner0.sat_inner = SatInner0.sat_inner
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_decision_node,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model8.model,
+  function Model1.model = Model3.model, predicate Invariant0.invariant' = Invariant6.invariant',
+  function Model2.model = Model2.model, function Model3.model = Model6.model,
   predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
   predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
   predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
   predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
   predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
   clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant1.invariant', function Model0.model = Model3.model,
+  predicate Invariant0.invariant' = Invariant5.invariant', function Model0.model = Model3.model,
   predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model2.model,
   predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
   predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model1.model,
+  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model8.model,
   predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
   predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
   predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
   predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
+  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model7.model,
+  function Model1.model = Model6.model, function Model2.model = Model5.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant4.invariant',
+  function Model0.model = Model5.model
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror as InvariantMirror0 with function Model0.model = Model6.model,
+  predicate Invariant0.invariant' = Invariant4.invariant', function Model1.model = Model5.model
+  clone CreuSat_Logic_LogicFormula_Impl2_NotSatisfiable as NotSatisfiable0 with function Model0.model = Model5.model,
+  predicate EquisatExtension0.equisat_extension = EquisatExtension0.equisat_extension
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant3 with function Model0.model = Model4.model
   clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant2 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
   function Model0.model = Model2.model, function Model1.model = Model3.model,
   predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone Alloc_Vec_Impl0_New_Interface as New0 with type t = Type.creusat_trail_step,
-  function Model0.model = Model3.model
-  clone Alloc_Vec_Impl0_New_Interface as New1 with type t = usize, function Model0.model = Model2.model
-  clone Alloc_Vec_FromElem_Interface as FromElem0 with type t = usize, function Model0.model = Model2.model
-  let rec cfg new [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 45 4 45 52] (f : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments) : Type.creusat_trail_trail
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 42 4 42 30] Invariant0.invariant' f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 43 4 43 32] Invariant1.invariant' a f}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 44 4 44 36] Invariant2.invariant' result f }
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant1 with function Model0.model = Model1.model,
+  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  function Model0.model = Model0.model,
+  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
+  use mach.int.Int64
+  clone CreuSat_Logic_LogicClause_Impl2_UnsatInner as UnsatInner2 with function Model0.model = Model5.model,
+  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
+  clone CreuSat_Logic_LogicFormula_Impl2_UnsatInner as UnsatInner1 with function Model0.model = Model6.model,
+  predicate UnsatInner0.unsat_inner = UnsatInner2.unsat_inner
+  clone CreuSat_Logic_LogicClause_Impl2_Unsat as Unsat1 with function Model0.model = Model8.model,
+  predicate UnsatInner0.unsat_inner = UnsatInner2.unsat_inner
+  clone CreuSat_Logic_LogicFormula_Impl2_Unsat as Unsat0 with function Model0.model = Model8.model,
+  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
+  clone CreuSat_Solver_Impl0_HandleConflict_Interface as HandleConflict0 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant2.invariant', predicate Invariant2.invariant' = Invariant1.invariant',
+  predicate Invariant3.invariant' = Invariant3.invariant', function Model0.model = Model6.model,
+  predicate Unsat0.unsat = Unsat1.unsat, predicate Equisat0.equisat = Equisat0.equisat,
+  predicate NotSatisfiable0.not_satisfiable = NotSatisfiable0.not_satisfiable,
+  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve4 with type t = Type.creusat_watches_watches
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve3 with type t = Type.creusat_trail_trail
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_decision_decisions
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_formula_formula
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_solver_solver
+  clone CreuSat_UnitProp_UnitPropagate_Interface as UnitPropagate0 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant2.invariant', predicate Invariant2.invariant' = Invariant1.invariant',
+  function Model0.model = Model6.model, predicate Unsat0.unsat = Unsat0.unsat, predicate Unsat1.unsat = Unsat1.unsat,
+  predicate Equisat0.equisat = Equisat0.equisat,
+  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  let rec cfg unit_prop_step [@cfg:stackify] [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 206 4 206 118] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (d : borrowed (Type.creusat_decision_decisions)) (t : borrowed (Type.creusat_trail_trail)) (w : borrowed (Type.creusat_watches_watches)) : Type.creusat_solver_conflictresult
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 195 4 195 37] Invariant0.invariant' ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 196 4 196 42] Invariant1.invariant' ( * w) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 197 4 197 42] Invariant2.invariant' ( * t) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 198 4 198 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 199 4 199 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 195 4 195 37] Invariant0.invariant' ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 196 4 196 42] Invariant1.invariant' ( ^ w) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 197 4 197 42] Invariant2.invariant' ( ^ t) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 198 4 198 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 200 4 200 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 201 4 201 29] Equisat0.equisat ( * f) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 202 4 205 7] match (result) with
+      | Type.CreuSat_Solver_ConflictResult_Ground -> NotSatisfiable0.not_satisfiable ( ^ f)
+      | _ -> true
+      end }
     
-   =
-  var _0 : Type.creusat_trail_trail;
-  var f_1 : Type.creusat_formula_formula;
-  var a_2 : Type.creusat_assignments_assignments;
-  var _3 : Type.creusat_assignments_assignments;
-  var _4 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
-  var _5 : usize;
-  var _6 : Type.alloc_vec_vec (Type.creusat_trail_step) (Type.alloc_alloc_global);
-  var _7 : Type.alloc_vec_vec usize (Type.alloc_alloc_global);
+   = [@vc:do_not_keep_trace] [@vc:sp]
+  var _0 : Type.creusat_solver_conflictresult;
+  var self_1 : borrowed (Type.creusat_solver_solver);
+  var f_2 : borrowed (Type.creusat_formula_formula);
+  var d_3 : borrowed (Type.creusat_decision_decisions);
+  var t_4 : borrowed (Type.creusat_trail_trail);
+  var w_5 : borrowed (Type.creusat_watches_watches);
+  var _6 : Type.core_result_result () usize;
+  var _7 : borrowed (Type.creusat_formula_formula);
+  var _8 : borrowed (Type.creusat_trail_trail);
+  var _9 : borrowed (Type.creusat_watches_watches);
+  var _10 : isize;
+  var cref_11 : usize;
+  var _12 : Type.core_option_option bool;
+  var _13 : borrowed (Type.creusat_solver_solver);
+  var _14 : borrowed (Type.creusat_formula_formula);
+  var _15 : borrowed (Type.creusat_trail_trail);
+  var _16 : usize;
+  var _17 : borrowed (Type.creusat_watches_watches);
+  var _18 : borrowed (Type.creusat_decision_decisions);
+  var _19 : isize;
   {
-    f_1 <- f;
-    a_2 <- a;
+    self_1 <- self;
+    f_2 <- f;
+    d_3 <- d;
+    t_4 <- t;
+    w_5 <- w;
     goto BB0
   }
   BB0 {
+    _7 <- borrow_mut ( * f_2);
+    f_2 <- { f_2 with current = ( ^ _7) };
+    _8 <- borrow_mut ( * t_4);
+    t_4 <- { t_4 with current = ( ^ _8) };
+    _9 <- borrow_mut ( * w_5);
+    w_5 <- { w_5 with current = ( ^ _9) };
+    _6 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 207 14 207 37] UnitPropagate0.unit_propagate _7 _8 _9);
     goto BB1
   }
   BB1 {
-    _3 <- a_2;
-    _5 <- Type.creusat_formula_formula_Formula_num_vars f_1;
-    _4 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 48 26 48 64] FromElem0.from_elem (18446744073709551615 : usize) _5);
-    goto BB2
+    switch (_6)
+      | Type.Core_Result_Result_Ok _ -> goto BB4
+      | Type.Core_Result_Result_Err _ -> goto BB2
+      end
   }
   BB2 {
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 49 19 49 29] New0.new ());
-    goto BB3
+    cref_11 <- Type.core_result_result_Err_0 _6;
+    _13 <- borrow_mut ( * self_1);
+    self_1 <- { self_1 with current = ( ^ _13) };
+    _14 <- borrow_mut ( * f_2);
+    f_2 <- { f_2 with current = ( ^ _14) };
+    _15 <- borrow_mut ( * t_4);
+    t_4 <- { t_4 with current = ( ^ _15) };
+    _16 <- cref_11;
+    _17 <- borrow_mut ( * w_5);
+    w_5 <- { w_5 with current = ( ^ _17) };
+    _18 <- borrow_mut ( * d_3);
+    d_3 <- { d_3 with current = ( ^ _18) };
+    _12 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 209 31 209 69] HandleConflict0.handle_conflict _13 _14 _15 _16 _17 _18);
+    goto BB5
   }
   BB3 {
-    _7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 51 23 51 33] New1.new ());
-    goto BB4
+    assume { Resolve0.resolve self_1 };
+    assume { Resolve1.resolve f_2 };
+    assume { Resolve2.resolve d_3 };
+    assume { Resolve3.resolve t_4 };
+    assume { Resolve4.resolve w_5 };
+    absurd
   }
   BB4 {
-    _0 <- Type.CreuSat_Trail_Trail _3 _4 _6 (0 : usize) _7;
-    goto BB5
+    assume { Resolve0.resolve self_1 };
+    assume { Resolve1.resolve f_2 };
+    assume { Resolve2.resolve d_3 };
+    assume { Resolve3.resolve t_4 };
+    assume { Resolve4.resolve w_5 };
+    _0 <- Type.CreuSat_Solver_ConflictResult_Ok;
+    goto BB12
   }
   BB5 {
-    goto BB6
+    assume { Resolve0.resolve self_1 };
+    assume { Resolve1.resolve f_2 };
+    assume { Resolve2.resolve d_3 };
+    assume { Resolve3.resolve t_4 };
+    assume { Resolve4.resolve w_5 };
+    switch (_12)
+      | Type.Core_Option_Option_None -> goto BB6
+      | Type.Core_Option_Option_Some _ -> goto BB7
+      end
   }
   BB6 {
-    goto BB7
+    _0 <- Type.CreuSat_Solver_ConflictResult_Continue;
+    goto BB11
   }
   BB7 {
-    goto BB8
+    switch (Type.core_option_option_Some_0 _12)
+      | False -> goto BB9
+      | _ -> goto BB10
+      end
   }
   BB8 {
-    goto BB9
+    absurd
   }
   BB9 {
+    _0 <- Type.CreuSat_Solver_ConflictResult_Ground;
+    goto BB11
+  }
+  BB10 {
+    _0 <- Type.CreuSat_Solver_ConflictResult_Err;
+    goto BB11
+  }
+  BB11 {
+    goto BB12
+  }
+  BB12 {
     return _0
   }
   
 end
-module CreuSat_Watches_Impl0_New_Interface
+module CreuSat_Solver_Impl0_UnitPropLoop_Interface
+  use mach.int.UInt64
+  use mach.int.Int
   use prelude.Prelude
+  use mach.int.Int32
   use Type
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant0
-  val new [@cfg:stackify] (f : Type.creusat_formula_formula) : Type.creusat_watches_watches
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 74 4 74 36] Invariant0.invariant' result f }
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicFormula_Impl2_NotSatisfiable_Interface as NotSatisfiable0
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant3
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val unit_prop_loop [@cfg:stackify] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (d : borrowed (Type.creusat_decision_decisions)) (t : borrowed (Type.creusat_trail_trail)) (w : borrowed (Type.creusat_watches_watches)) : Type.core_option_option bool
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 218 4 218 37] Invariant0.invariant' ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 219 4 219 42] Invariant1.invariant' ( * t) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 220 4 220 42] Invariant2.invariant' ( * w) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 221 4 221 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 222 4 222 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 218 4 218 37] Invariant0.invariant' ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 219 4 219 42] Invariant1.invariant' ( ^ t) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 220 4 220 42] Invariant2.invariant' ( ^ w) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 221 4 221 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 223 4 227 7] match (result) with
+      | Type.Core_Option_Option_Some (False) -> NotSatisfiable0.not_satisfiable ( ^ f)
+      | Type.Core_Option_Option_Some (True) -> true
+      | Type.Core_Option_Option_None -> true
+      end }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 228 4 228 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 229 4 229 29] Equisat0.equisat ( * f) ( ^ f) }
     
 end
-module CreuSat_Watches_Impl0_New
-  use prelude.Prelude
-  use Type
+module CreuSat_Solver_Impl0_UnitPropLoop
   use mach.int.UInt64
   use mach.int.Int
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model3 with function Model0.model = Model4.model
+  use prelude.Prelude
+  use mach.int.Int32
+  use Type
+  use prelude.UInt8
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_clause_clause,
+  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
+  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = Type.creusat_lit_lit,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.creusat_watches_watcher,
+  clone CreuSat_Logic_LogicClause_Impl0_Model as Model5 with function Model0.model = Model9.model
+  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner2 with function Model0.model = Model5.model,
+  predicate SatInner0.sat_inner = SatInner1.sat_inner
+  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner2.sat_inner
+  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant7 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant7.invariant'
+  clone CreuSat_Logic_Logic_Unset as Unset0
+  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
+  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss1 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
+  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
+  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model1.model,
-  function Model1.model = Model2.model, function Model2.model = Model3.model,
+  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant8 with function Model0.model = Model6.model,
+  function Model1.model = Model5.model
+  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
+  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model5.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner1.sat_inner,
+  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model10 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model5.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model6.model,
+  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
+  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant6 with predicate Invariant0.invariant' = Invariant7.invariant',
+  predicate Invariant1.invariant' = Invariant8.invariant'
+  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant6.invariant'
+  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
+  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
+  clone CreuSat_Logic_LogicFormula_Impl2_SatInner as SatInner0 with function Model0.model = Model6.model,
+  predicate SatInner0.sat_inner = SatInner2.sat_inner
+  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss1.eventually_sat_complete_no_ass
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_watches_watcher,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model7 with function Model0.model = Model10.model
+  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model7.model,
+  predicate SatInner0.sat_inner = SatInner1.sat_inner
+  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model6.model,
+  function Model1.model = Model5.model, predicate Sat0.sat = Sat0.sat
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = usize, type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model1.model,
+  predicate Sorted0.sorted = Sorted0.sorted
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_trail_step,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model2.model,
+  function Model1.model = Model7.model,
+  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
+  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model6.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic,
+  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
+  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model2.model,
+  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
+  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model2.model,
+  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
+  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
+  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
+  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant5 with function Model0.model = Model7.model
+  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant4 with function Model0.model = Model5.model,
+  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
+  clone CreuSat_Logic_LogicFormula_Impl2_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
+  predicate SatInner0.sat_inner = SatInner0.sat_inner
+  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model0 with function Model0.model = Model6.model
+  clone CreuSat_Logic_LogicClause_Impl2_EquisatExtension as EquisatExtension0 with function Model0.model = Model0.model,
+  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_decision_node,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model8.model,
+  function Model1.model = Model6.model, function Model2.model = Model5.model,
   function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant0 with function Model0.model = Model0.model,
+  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model7.model,
+  function Model1.model = Model2.model, predicate Invariant0.invariant' = Invariant6.invariant',
+  function Model2.model = Model1.model, function Model3.model = Model6.model,
+  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
+  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
+  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
+  predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
+  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
+  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
+  predicate Invariant0.invariant' = Invariant5.invariant', function Model0.model = Model2.model,
+  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model1.model,
+  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
+  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
+  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model7.model,
+  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
+  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
+  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
+  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
+  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant4.invariant',
+  function Model0.model = Model5.model
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror as InvariantMirror0 with function Model0.model = Model6.model,
+  predicate Invariant0.invariant' = Invariant4.invariant', function Model1.model = Model5.model
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
+  clone CreuSat_Logic_LogicFormula_Impl2_NotSatisfiable as NotSatisfiable0 with function Model0.model = Model5.model,
+  predicate EquisatExtension0.equisat_extension = EquisatExtension0.equisat_extension
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant3 with function Model0.model = Model4.model
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant2 with function Model0.model = Model3.model,
   predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Logic_Resolve_Impl2_Resolve as Resolve2 with type t = Type.creusat_watches_watcher
-  clone CreusotContracts_Std1_Vec_Impl1_Resolve as Resolve1 with type t = Type.creusat_watches_watcher,
-  function Model0.model = Model1.model, predicate Resolve0.resolve = Resolve2.resolve
-  clone Alloc_Vec_Impl0_New_Interface as New1 with type t = Type.creusat_watches_watcher,
-  function Model0.model = Model1.model
-  clone CreusotContracts_Std1_Vec_Impl1_Resolve as Resolve0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  function Model0.model = Model0.model, predicate Resolve0.resolve = Resolve1.resolve
-  clone Alloc_Vec_Impl1_Push_Interface as Push0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, function Model0.model = Model0.model
-  clone Alloc_Vec_Impl0_New_Interface as New0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  function Model0.model = Model0.model
-  let rec cfg new [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 75 4 75 38] (f : Type.creusat_formula_formula) : Type.creusat_watches_watches
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 74 4 74 36] Invariant0.invariant' result f }
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
+  function Model0.model = Model1.model, function Model1.model = Model2.model,
+  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  function Model0.model = Model0.model,
+  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
+  use mach.int.Int64
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve4 with type t = Type.creusat_watches_watches
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve3 with type t = Type.creusat_trail_trail
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_decision_decisions
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_formula_formula
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_solver_solver
+  clone CreuSat_Solver_Impl0_UnitPropStep_Interface as UnitPropStep0 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant2.invariant', predicate Invariant2.invariant' = Invariant1.invariant',
+  predicate Invariant3.invariant' = Invariant3.invariant', predicate Equisat0.equisat = Equisat0.equisat,
+  predicate NotSatisfiable0.not_satisfiable = NotSatisfiable0.not_satisfiable,
+  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  let rec cfg unit_prop_loop [@cfg:stackify] [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 230 4 230 116] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (d : borrowed (Type.creusat_decision_decisions)) (t : borrowed (Type.creusat_trail_trail)) (w : borrowed (Type.creusat_watches_watches)) : Type.core_option_option bool
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 218 4 218 37] Invariant0.invariant' ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 219 4 219 42] Invariant1.invariant' ( * t) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 220 4 220 42] Invariant2.invariant' ( * w) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 221 4 221 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 222 4 222 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 218 4 218 37] Invariant0.invariant' ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 219 4 219 42] Invariant1.invariant' ( ^ t) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 220 4 220 42] Invariant2.invariant' ( ^ w) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 221 4 221 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 223 4 227 7] match (result) with
+      | Type.Core_Option_Option_Some (False) -> NotSatisfiable0.not_satisfiable ( ^ f)
+      | Type.Core_Option_Option_Some (True) -> true
+      | Type.Core_Option_Option_None -> true
+      end }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 228 4 228 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 229 4 229 29] Equisat0.equisat ( * f) ( ^ f) }
     
-   =
-  var _0 : Type.creusat_watches_watches;
-  var f_1 : Type.creusat_formula_formula;
-  var i_2 : usize;
-  var watches_3 : Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global);
-  var _4 : ();
-  var _5 : ();
-  var _6 : bool;
-  var _7 : usize;
-  var _8 : usize;
+   = [@vc:do_not_keep_trace] [@vc:sp]
+  var _0 : Type.core_option_option bool;
+  var self_1 : borrowed (Type.creusat_solver_solver);
+  var f_2 : borrowed (Type.creusat_formula_formula);
+  var d_3 : borrowed (Type.creusat_decision_decisions);
+  var t_4 : borrowed (Type.creusat_trail_trail);
+  var w_5 : borrowed (Type.creusat_watches_watches);
+  ghost var old_f_6 : borrowed (Type.creusat_formula_formula);
+  var _7 : ();
+  ghost var old_t_8 : borrowed (Type.creusat_trail_trail);
   var _9 : ();
-  var _10 : borrowed (Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global));
-  var _11 : Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global);
-  var _12 : ();
-  var _13 : borrowed (Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global));
-  var _14 : Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global);
+  ghost var old_w_10 : borrowed (Type.creusat_watches_watches);
+  var _11 : ();
+  ghost var old_d_12 : borrowed (Type.creusat_decision_decisions);
+  var _13 : ();
+  var _14 : ();
   var _15 : ();
-  var _16 : ();
-  var _17 : ();
-  var _18 : Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global);
+  var _16 : Type.creusat_solver_conflictresult;
+  var _17 : borrowed (Type.creusat_solver_solver);
+  var _18 : borrowed (Type.creusat_formula_formula);
+  var _19 : borrowed (Type.creusat_decision_decisions);
+  var _20 : borrowed (Type.creusat_trail_trail);
+  var _21 : borrowed (Type.creusat_watches_watches);
+  var _22 : isize;
+  var _23 : ();
+  var _24 : ();
+  var _25 : ();
   {
-    f_1 <- f;
+    self_1 <- self;
+    f_2 <- f;
+    d_3 <- d;
+    t_4 <- t;
+    w_5 <- w;
     goto BB0
   }
   BB0 {
-    i_2 <- (0 : usize);
-    watches_3 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 77 26 77 36] New0.new ());
+    _7 <- ();
+    old_f_6 <- ghost ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 231 20 231 32] f_2);
     goto BB1
   }
   BB1 {
+    _9 <- ();
+    old_t_8 <- ghost ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 232 20 232 32] t_4);
     goto BB2
   }
   BB2 {
+    _11 <- ();
+    old_w_10 <- ghost ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 233 20 233 32] w_5);
     goto BB3
   }
   BB3 {
-    invariant i_less { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 78 8 78 47] UInt64.to_int i_2 <= UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_1) };
-    invariant maintains_inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 79 8 79 81] WatchesInvariantInternal0.watches_invariant_internal (Model0.model watches_3) (UInt64.to_int i_2) f_1 };
-    _7 <- i_2;
-    _8 <- Type.creusat_formula_formula_Formula_num_vars f_1;
-    _6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 80 14 80 28] _7 < _8);
-    switch (_6)
-      | False -> goto BB9
-      | _ -> goto BB4
-      end
+    _13 <- ();
+    old_d_12 <- ghost ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 234 20 234 32] d_3);
+    goto BB4
   }
   BB4 {
-    _10 <- borrow_mut watches_3;
-    watches_3 <-  ^ _10;
-    _11 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 81 25 81 35] New1.new ());
     goto BB5
   }
   BB5 {
-    _9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 81 12 81 36] Push0.push _10 _11);
+    invariant maintains_f { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 235 8 235 48] Invariant0.invariant' ( * f_2) };
+    invariant maintains_t { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 236 8 236 50] Invariant1.invariant' ( * t_4) ( * f_2) };
+    invariant maintains_w { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 237 8 237 50] Invariant2.invariant' ( * w_5) ( * f_2) };
+    invariant maintains_d { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 238 8 238 59] Invariant3.invariant' ( * d_3) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f_2))) };
+    invariant equi { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 239 8 239 53] Equisat0.equisat ( * old_f_6) ( * f_2) };
+    invariant num_vars { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 240 8 240 62] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f_2)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * old_f_6)) };
+    invariant prophf { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 241 8 241 50]  ^ f_2 =  ^ old_f_6 };
+    invariant propht { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 242 8 242 50]  ^ t_4 =  ^ old_t_8 };
+    invariant prophw { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 243 8 243 50]  ^ w_5 =  ^ old_w_10 };
+    invariant prophd { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 244 8 244 50]  ^ d_3 =  ^ old_d_12 };
+    _17 <- borrow_mut ( * self_1);
+    self_1 <- { self_1 with current = ( ^ _17) };
+    _18 <- borrow_mut ( * f_2);
+    f_2 <- { f_2 with current = ( ^ _18) };
+    _19 <- borrow_mut ( * d_3);
+    d_3 <- { d_3 with current = ( ^ _19) };
+    _20 <- borrow_mut ( * t_4);
+    t_4 <- { t_4 with current = ( ^ _20) };
+    _21 <- borrow_mut ( * w_5);
+    w_5 <- { w_5 with current = ( ^ _21) };
+    _16 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 246 18 246 49] UnitPropStep0.unit_prop_step _17 _18 _19 _20 _21);
     goto BB6
   }
   BB6 {
-    _13 <- borrow_mut watches_3;
-    watches_3 <-  ^ _13;
-    _14 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 82 25 82 35] New1.new ());
-    goto BB7
+    switch (_16)
+      | Type.CreuSat_Solver_ConflictResult_Ok -> goto BB9
+      | Type.CreuSat_Solver_ConflictResult_Err -> goto BB11
+      | Type.CreuSat_Solver_ConflictResult_Ground -> goto BB10
+      | Type.CreuSat_Solver_ConflictResult_Continue -> goto BB7
+      end
   }
   BB7 {
-    _12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 82 12 82 36] Push0.push _13 _14);
-    goto BB8
+    _15 <- ();
+    goto BB5
   }
   BB8 {
-    i_2 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 83 12 83 18] i_2 + (1 : usize));
-    _5 <- ();
-    goto BB3
+    assume { Resolve0.resolve self_1 };
+    assume { Resolve1.resolve f_2 };
+    assume { Resolve2.resolve d_3 };
+    assume { Resolve3.resolve t_4 };
+    assume { Resolve4.resolve w_5 };
+    absurd
   }
   BB9 {
-    _4 <- ();
-    assume { Resolve0.resolve _18 };
-    _18 <- watches_3;
-    _0 <- Type.CreuSat_Watches_Watches _18;
-    goto BB10
+    assume { Resolve0.resolve self_1 };
+    assume { Resolve1.resolve f_2 };
+    assume { Resolve2.resolve d_3 };
+    assume { Resolve3.resolve t_4 };
+    assume { Resolve4.resolve w_5 };
+    _0 <- Type.Core_Option_Option_Some true;
+    goto BB12
   }
   BB10 {
-    goto BB11
+    assume { Resolve0.resolve self_1 };
+    assume { Resolve1.resolve f_2 };
+    assume { Resolve2.resolve d_3 };
+    assume { Resolve3.resolve t_4 };
+    assume { Resolve4.resolve w_5 };
+    _0 <- Type.Core_Option_Option_Some false;
+    goto BB12
   }
   BB11 {
+    assume { Resolve0.resolve self_1 };
+    assume { Resolve1.resolve f_2 };
+    assume { Resolve2.resolve d_3 };
+    assume { Resolve3.resolve t_4 };
+    assume { Resolve4.resolve w_5 };
+    _0 <- Type.Core_Option_Option_None;
+    goto BB12
+  }
+  BB12 {
     return _0
   }
   
 end
-module CreuSat_Watches_Impl0_InitWatches_Interface
+module CreuSat_Trail_Impl0_EnqDecision_Interface
+  use mach.int.UInt64
+  use mach.int.Int
+  use seq.Seq
+  use mach.int.Int32
+  use prelude.UInt8
+  use prelude.Prelude
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner_Interface as LongArePostUnitInner0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = Type.creusat_trail_step,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_Logic_Unset_Interface as Unset0
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model_Interface as Model0
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val enq_decision [@cfg:stackify] (self : borrowed (Type.creusat_trail_trail)) (idx : usize) (_f : Type.creusat_formula_formula) : ()
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 268 4 268 31] Invariant0.invariant' _f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 269 4 269 43] Invariant1.invariant' ( * self) _f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 270 4 270 36] UInt64.to_int idx < UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars _f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 271 4 271 49] Unset0.unset (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments ( * self))) (UInt64.to_int idx))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 275 4 275 78] LongArePostUnitInner0.long_are_post_unit_inner (Model1.model (Type.creusat_trail_trail_Trail_trail ( * self))) _f (Model0.model (Type.creusat_trail_trail_Trail_assignments ( * self)))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 269 4 269 43] Invariant1.invariant' ( ^ self) _f }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 272 4 273 76] forall j : (int) . 0 <= j /\ j < Seq.length (Model0.model (Type.creusat_trail_trail_Trail_assignments ( * self))) /\ j <> UInt64.to_int idx -> Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments ( * self))) j = Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) j }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 274 4 274 88] UInt8.to_int (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) (UInt64.to_int idx)) = 1 \/ UInt8.to_int (Seq.get (Model0.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) (UInt64.to_int idx)) = 0 }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 276 4 276 87] LongArePostUnitInner0.long_are_post_unit_inner (Model1.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) _f (Model0.model (Type.creusat_trail_trail_Trail_assignments ( ^ self))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 277 4 277 65] Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail ( ^ self))) = 1 + Seq.length (Model1.model (Type.creusat_trail_trail_Trail_trail ( * self))) }
+    
+end
+module CreuSat_Solver_Impl0_OuterLoop_Interface
   use mach.int.UInt64
   use mach.int.Int
   use prelude.Prelude
   use mach.int.Int32
   use Type
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_NotSatisfiable_Interface as NotSatisfiable0
+  clone CreuSat_Logic_LogicAssignments_Impl1_Complete_Interface as Complete0
+  clone CreuSat_Logic_LogicFormula_Impl2_Sat_Interface as Sat0
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant3
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
   axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant0
-  val init_watches [@cfg:stackify] (self : borrowed (Type.creusat_watches_watches)) (f : Type.creusat_formula_formula) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 132 4 132 42] Invariant0.invariant' ( * self) f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 133 4 133 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 134 4 134 30] Invariant1.invariant' f}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 132 4 132 42] Invariant0.invariant' ( ^ self) f }
+  val outer_loop [@cfg:stackify] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (d : borrowed (Type.creusat_decision_decisions)) (trail : borrowed (Type.creusat_trail_trail)) (w : borrowed (Type.creusat_watches_watches)) : Type.creusat_solver_satresult
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 262 4 262 37] Invariant0.invariant' ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 263 4 263 46] Invariant1.invariant' ( * trail) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 264 4 264 42] Invariant2.invariant' ( * w) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 265 4 265 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 266 4 266 41] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 267 4 267 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 262 4 262 37] Invariant0.invariant' ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 263 4 263 46] Invariant1.invariant' ( ^ trail) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 264 4 264 42] Invariant2.invariant' ( ^ w) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 265 4 265 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 268 4 268 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 269 4 269 29] Equisat0.equisat ( * f) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 270 4 276 7] match (result) with
+      | Type.CreuSat_Solver_SatResult_Sat _ -> Sat0.sat ( ^ f) (Type.creusat_trail_trail_Trail_assignments ( ^ trail)) /\ Complete0.complete (Type.creusat_trail_trail_Trail_assignments ( ^ trail))
+      | Type.CreuSat_Solver_SatResult_Unsat -> NotSatisfiable0.not_satisfiable ( ^ f)
+      | Type.CreuSat_Solver_SatResult_Unknown -> true
+      | Type.CreuSat_Solver_SatResult_Err -> true
+      end }
     
 end
-module CreuSat_Watches_Impl0_InitWatches
+module CreuSat_Solver_Impl0_OuterLoop
   use mach.int.UInt64
   use mach.int.Int
   use prelude.Prelude
   use mach.int.Int32
   use Type
-  use seq.Seq
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model4 with function Model0.model = Model5.model
+  use prelude.UInt8
+  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant3 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant3.invariant'
+  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic
   clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant7 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant7.invariant'
+  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner2 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model10 with type t = Type.creusat_lit_lit,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicClause_Impl0_Model as Model6 with function Model0.model = Model10.model
+  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner1 with function Model0.model = Model6.model,
+  predicate SatInner0.sat_inner = SatInner2.sat_inner
+  clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
+  clone CreuSat_Logic_Logic_Unset as Unset0
+  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
+  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss1 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
+  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
+  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_clause_clause,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant8 with function Model0.model = Model7.model,
+  function Model1.model = Model6.model
+  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner2.sat_inner
+  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model6.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner2.sat_inner,
+  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
+  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model6.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model7.model,
+  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
+  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant6 with predicate Invariant0.invariant' = Invariant7.invariant',
+  predicate Invariant1.invariant' = Invariant8.invariant'
+  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant6.invariant'
   clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
   predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant2 with function Model0.model = Model4.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant2.invariant',
-  function Model0.model = Model4.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.creusat_clause_clause,
+  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss1.eventually_sat_complete_no_ass
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicFormula_Impl2_SatInner as SatInner0 with function Model0.model = Model7.model,
+  predicate SatInner0.sat_inner = SatInner1.sat_inner
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_watches_watcher,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model1 with function Model0.model = Model3.model
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model3.model,
-  predicate Invariant0.invariant' = Invariant2.invariant', function Model1.model = Model4.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model1.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_watches_watcher,
+  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model5 with function Model0.model = Model9.model
+  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat1 with function Model0.model = Model5.model,
+  predicate SatInner0.sat_inner = SatInner2.sat_inner
+  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model7.model,
+  function Model1.model = Model6.model, predicate Sat0.sat = Sat1.sat
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = usize, type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model1.model,
+  predicate Sorted0.sorted = Sorted0.sorted
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_trail_step,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model2.model,
+  function Model1.model = Model5.model,
+  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
+  clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model7.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic,
+  predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
+  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model2.model,
+  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
+  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model2.model,
+  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
+  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
+  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
+  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant5 with function Model0.model = Model5.model
+  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant4 with function Model0.model = Model6.model,
+  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
+  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model0 with function Model0.model = Model7.model
+  clone CreuSat_Logic_LogicClause_Impl2_EquisatExtension as EquisatExtension0 with function Model0.model = Model0.model,
+  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner
+  clone CreuSat_Logic_LogicFormula_Impl2_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
+  predicate SatInner0.sat_inner = SatInner0.sat_inner
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_decision_node,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model2.model,
-  function Model1.model = Model3.model, function Model2.model = Model4.model,
+  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model8.model,
+  function Model1.model = Model7.model, function Model2.model = Model6.model,
   function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant0 with function Model0.model = Model0.model,
+  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model5.model,
+  function Model1.model = Model2.model, predicate Invariant0.invariant' = Invariant6.invariant',
+  function Model2.model = Model1.model, function Model3.model = Model7.model,
+  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
+  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
+  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
+  predicate Sat0.sat = Sat1.sat, predicate Sorted0.sorted = Sorted0.sorted,
+  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
+  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
+  predicate Invariant0.invariant' = Invariant5.invariant', function Model0.model = Model2.model,
+  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model1.model,
+  predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
+  predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
+  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model5.model,
+  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
+  predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
+  predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
+  predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
+  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant4.invariant',
+  function Model0.model = Model6.model
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror as InvariantMirror0 with function Model0.model = Model7.model,
+  predicate Invariant0.invariant' = Invariant4.invariant', function Model1.model = Model6.model
+  clone CreuSat_Logic_LogicFormula_Impl2_NotSatisfiable as NotSatisfiable0 with function Model0.model = Model6.model,
+  predicate EquisatExtension0.equisat_extension = EquisatExtension0.equisat_extension
+  clone CreuSat_Logic_LogicAssignments_Impl1_Complete as Complete0 with function Model0.model = Model5.model,
+  predicate Unset0.unset = Unset0.unset
+  clone CreuSat_Logic_LogicFormula_Impl2_Sat as Sat0 with function Model0.model = Model0.model,
+  function Model1.model = Model5.model,
+  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant3 with function Model0.model = Model4.model
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant2 with function Model0.model = Model3.model,
   predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant1 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
+  function Model0.model = Model1.model, function Model1.model = Model2.model,
+  predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  function Model0.model = Model0.model,
+  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
+  use mach.int.Int64
+  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy0
+  clone CreusotContracts_Logic_Model_Impl0_Model as Model11 with type t = Type.creusat_assignments_assignments,
+  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model5.model
+  clone Alloc_Vec_Impl0_New_Interface as New0 with type t = uint8, function Model0.model = Model9.model
+  clone CreuSat_Formula_Impl2_IsSat_Interface as IsSat0 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant5.invariant', predicate Sat0.sat = Sat0.sat,
+  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  clone CreuSat_Trail_Impl0_EnqDecision_Interface as EnqDecision0 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant1.invariant', function Model0.model = Model5.model,
+  predicate Unset0.unset = Unset0.unset, function Model1.model = Model2.model,
+  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
+  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve4 with type t = Type.creusat_trail_trail
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve3 with type t = Type.creusat_formula_formula
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_decision_decisions
+  clone CreuSat_Decision_Impl1_GetNext_Interface as GetNext0 with predicate Invariant0.invariant' = Invariant3.invariant',
+  predicate Invariant1.invariant' = Invariant5.invariant', function Model0.model = Model11.model,
+  predicate Unset0.unset = Unset0.unset, predicate Complete0.complete = Complete0.complete
+  clone CreuSat_Trail_Impl0_BacktrackTo_Interface as BacktrackTo0 with function Model0.model = Model1.model,
+  predicate Invariant0.invariant' = Invariant0.invariant', predicate Invariant1.invariant' = Invariant1.invariant',
+  predicate Invariant2.invariant' = Invariant3.invariant', function Model1.model = Model2.model,
+  function Model2.model = Model5.model,
+  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
+  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
   clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_watches_watches
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy2 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy1
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model7 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model4.model
-  clone CreuSat_Clause_Impl0_Index_Interface as Index1 with function Model0.model = Model7.model
-  clone CreuSat_Clause_Impl3_Len_Interface as Len1 with function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicLit_Impl0_ToNegWatchidxLogic as ToNegWatchidxLogic0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Lit_Impl1_ToNegWatchidx_Interface as ToNegWatchidx0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function ToNegWatchidxLogic0.to_neg_watchidx_logic = ToNegWatchidxLogic0.to_neg_watchidx_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, function Model0.model = Model3.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model6 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
-  clone CreuSat_Formula_Impl0_Index_Interface as Index0 with function Model0.model = Model6.model
-  clone Alloc_Vec_Impl1_Push_Interface as Push0 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, function Model0.model = Model2.model
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type i = usize, type a = Type.alloc_alloc_global, function Model0.model = Model0.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  let rec cfg init_watches [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 135 4 135 47] (self : borrowed (Type.creusat_watches_watches)) (f : Type.creusat_formula_formula) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 132 4 132 42] Invariant0.invariant' ( * self) f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 133 4 133 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 134 4 134 30] Invariant1.invariant' f}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 132 4 132 42] Invariant0.invariant' ( ^ self) f }
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_solver_solver
+  clone CreuSat_Formula_Impl2_ReduceDb_Interface as ReduceDb0 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant2.invariant', predicate Invariant2.invariant' = Invariant1.invariant',
+  predicate Equisat0.equisat = Equisat0.equisat,
+  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  clone CreuSat_Trail_Impl0_DecisionLevel_Interface as DecisionLevel0 with function Model0.model = Model1.model
+  clone CreuSat_Solver_Impl0_UnitPropLoop_Interface as UnitPropLoop0 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant2.invariant',
+  predicate Invariant3.invariant' = Invariant3.invariant',
+  predicate NotSatisfiable0.not_satisfiable = NotSatisfiable0.not_satisfiable,
+  predicate Equisat0.equisat = Equisat0.equisat,
+  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  let rec cfg outer_loop [@cfg:stackify] [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 277 4 277 113] (self : borrowed (Type.creusat_solver_solver)) (f : borrowed (Type.creusat_formula_formula)) (d : borrowed (Type.creusat_decision_decisions)) (trail : borrowed (Type.creusat_trail_trail)) (w : borrowed (Type.creusat_watches_watches)) : Type.creusat_solver_satresult
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 262 4 262 37] Invariant0.invariant' ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 263 4 263 46] Invariant1.invariant' ( * trail) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 264 4 264 42] Invariant2.invariant' ( * w) ( * f)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 265 4 265 48] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 266 4 266 41] Invariant3.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 267 4 267 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) < div 18446744073709551615 2}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 262 4 262 37] Invariant0.invariant' ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 263 4 263 46] Invariant1.invariant' ( ^ trail) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 264 4 264 42] Invariant2.invariant' ( ^ w) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 265 4 265 48] Invariant3.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f))) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 268 4 268 45] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * f)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( ^ f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 269 4 269 29] Equisat0.equisat ( * f) ( ^ f) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 270 4 276 7] match (result) with
+      | Type.CreuSat_Solver_SatResult_Sat _ -> Sat0.sat ( ^ f) (Type.creusat_trail_trail_Trail_assignments ( ^ trail)) /\ Complete0.complete (Type.creusat_trail_trail_Trail_assignments ( ^ trail))
+      | Type.CreuSat_Solver_SatResult_Unsat -> NotSatisfiable0.not_satisfiable ( ^ f)
+      | Type.CreuSat_Solver_SatResult_Unknown -> true
+      | Type.CreuSat_Solver_SatResult_Err -> true
+      end }
     
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_watches_watches);
-  var f_2 : Type.creusat_formula_formula;
-  ghost var old_w_3 : borrowed (Type.creusat_watches_watches);
-  var _4 : ();
-  var i_5 : usize;
+   = [@vc:do_not_keep_trace] [@vc:sp]
+  var _0 : Type.creusat_solver_satresult;
+  var self_1 : borrowed (Type.creusat_solver_solver);
+  var f_2 : borrowed (Type.creusat_formula_formula);
+  var d_3 : borrowed (Type.creusat_decision_decisions);
+  var trail_4 : borrowed (Type.creusat_trail_trail);
+  var w_5 : borrowed (Type.creusat_watches_watches);
   var _6 : ();
-  var _7 : bool;
-  var _8 : usize;
-  var _9 : usize;
-  var _10 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var clause_11 : Type.creusat_clause_clause;
-  var _12 : Type.creusat_clause_clause;
-  var _13 : Type.creusat_formula_formula;
-  var _14 : usize;
+  var _7 : Type.core_option_option bool;
+  var _8 : borrowed (Type.creusat_solver_solver);
+  var _9 : borrowed (Type.creusat_formula_formula);
+  var _10 : borrowed (Type.creusat_decision_decisions);
+  var _11 : borrowed (Type.creusat_trail_trail);
+  var _12 : borrowed (Type.creusat_watches_watches);
+  var _13 : isize;
+  var _14 : ();
   var _15 : ();
-  var _16 : bool;
-  var _17 : usize;
-  var _18 : Type.creusat_clause_clause;
-  var _19 : ();
-  var _20 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _21 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _22 : borrowed (Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global));
-  var _23 : usize;
-  var _24 : Type.creusat_lit_lit;
-  var _25 : Type.creusat_lit_lit;
-  var _26 : Type.creusat_clause_clause;
-  var _27 : Type.creusat_watches_watcher;
-  var _28 : usize;
-  var _29 : Type.creusat_lit_lit;
-  var _30 : Type.creusat_lit_lit;
-  var _31 : Type.creusat_clause_clause;
-  var _32 : ();
-  var _33 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _34 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _35 : borrowed (Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global));
+  var slow_16 : usize;
+  var _17 : bool;
+  var _18 : usize;
+  var _19 : usize;
+  var _20 : bool;
+  var _21 : usize;
+  var _22 : usize;
+  var _23 : bool;
+  var _24 : ();
+  var _25 : bool;
+  var _26 : bool;
+  var _27 : usize;
+  var _28 : Type.creusat_trail_trail;
+  var _29 : bool;
+  var _30 : usize;
+  var _31 : usize;
+  var _32 : usize;
+  var _33 : ();
+  var _34 : bool;
+  var _35 : usize;
   var _36 : usize;
-  var _37 : Type.creusat_lit_lit;
-  var _38 : Type.creusat_lit_lit;
-  var _39 : Type.creusat_clause_clause;
-  var _40 : Type.creusat_watches_watcher;
-  var _41 : usize;
-  var _42 : Type.creusat_lit_lit;
-  var _43 : Type.creusat_lit_lit;
-  var _44 : Type.creusat_clause_clause;
-  var _45 : ();
+  var _37 : ();
+  var _38 : borrowed (Type.creusat_formula_formula);
+  var _39 : borrowed (Type.creusat_watches_watches);
+  var _40 : Type.creusat_trail_trail;
+  var _41 : borrowed (Type.creusat_solver_solver);
+  var _42 : ();
+  var _43 : borrowed (Type.creusat_trail_trail);
+  var _44 : Type.creusat_formula_formula;
+  var _45 : borrowed (Type.creusat_decision_decisions);
   var _46 : ();
-  var _47 : ();
+  var _47 : Type.core_option_option usize;
+  var _48 : borrowed (Type.creusat_decision_decisions);
+  var _49 : Type.creusat_assignments_assignments;
+  var _50 : Type.creusat_assignments_assignments;
+  var _51 : Type.creusat_formula_formula;
+  var _52 : isize;
+  var next_53 : usize;
+  var _54 : ();
+  var _55 : borrowed (Type.creusat_trail_trail);
+  var _56 : usize;
+  var _57 : Type.creusat_formula_formula;
+  var _58 : bool;
+  var _59 : Type.creusat_formula_formula;
+  var _60 : Type.creusat_assignments_assignments;
+  var _61 : Type.creusat_assignments_assignments;
+  var _62 : ();
+  var _63 : Type.alloc_vec_vec uint8 (Type.alloc_alloc_global);
+  var _64 : ();
   {
     self_1 <- self;
     f_2 <- f;
+    d_3 <- d;
+    trail_4 <- trail;
+    w_5 <- w;
     goto BB0
   }
   BB0 {
-    _4 <- ();
-    old_w_3 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 136 20 136 35] self_1);
+    _8 <- borrow_mut ( * self_1);
+    self_1 <- { self_1 with current = ( ^ _8) };
+    _9 <- borrow_mut ( * f_2);
+    f_2 <- { f_2 with current = ( ^ _9) };
+    _10 <- borrow_mut ( * d_3);
+    d_3 <- { d_3 with current = ( ^ _10) };
+    _11 <- borrow_mut ( * trail_4);
+    trail_4 <- { trail_4 with current = ( ^ _11) };
+    _12 <- borrow_mut ( * w_5);
+    w_5 <- { w_5 with current = ( ^ _12) };
+    _7 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 278 14 278 49] UnitPropLoop0.unit_prop_loop _8 _9 _10 _11 _12);
     goto BB1
   }
   BB1 {
-    i_5 <- (0 : usize);
-    goto BB2
+    switch (_7)
+      | Type.Core_Option_Option_None -> goto BB5
+      | Type.Core_Option_Option_Some _ -> goto BB2
+      end
   }
   BB2 {
-    invariant watch_inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 138 8 138 51] Invariant0.invariant' ( * self_1) f_2 };
-    invariant same_len { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 139 8 139 72] Seq.length (Model0.model (Type.creusat_watches_watches_Watches_watches ( * self_1))) = 2 * UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_2) };
-    invariant proph { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 140 8 140 52]  ^ self_1 =  ^ old_w_3 };
-    _8 <- i_5;
-    _10 <- Type.creusat_formula_formula_Formula_clauses f_2;
-    _9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 141 18 141 33] Len0.len _10);
-    goto BB3
+    switch (Type.core_option_option_Some_0 _7)
+      | False -> goto BB4
+      | _ -> goto BB3
+      end
   }
   BB3 {
-    _7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 141 14 141 33] _8 < _9);
-    switch (_7)
-      | False -> goto BB20
-      | _ -> goto BB4
-      end
+    _6 <- ();
+    _18 <- Type.creusat_solver_solver_Solver_slow ( * self_1);
+    _20 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 283 34 283 48] (2 : usize) = (0 : usize));
+    assert { not _20 };
+    goto BB6
   }
   BB4 {
-    _13 <- f_2;
-    _14 <- i_5;
-    _12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 142 26 142 30] Index0.index _13 _14);
-    goto BB5
+    assume { Resolve0.resolve self_1 };
+    assume { Resolve3.resolve f_2 };
+    assume { Resolve2.resolve d_3 };
+    assume { Resolve4.resolve trail_4 };
+    assume { Resolve1.resolve w_5 };
+    _0 <- Type.CreuSat_Solver_SatResult_Unsat;
+    goto BB34
   }
   BB5 {
-    clause_11 <- _12;
-    _18 <- clause_11;
-    _17 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 143 15 143 27] Len1.len _18);
-    goto BB6
+    assume { Resolve0.resolve self_1 };
+    assume { Resolve3.resolve f_2 };
+    assume { Resolve2.resolve d_3 };
+    assume { Resolve4.resolve trail_4 };
+    assume { Resolve1.resolve w_5 };
+    _0 <- Type.CreuSat_Solver_SatResult_Err;
+    goto BB34
   }
   BB6 {
-    _16 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 143 15 143 31] _17 > (1 : usize));
-    switch (_16)
-      | False -> goto BB18
+    _19 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 283 34 283 48] (18446744073709551615 : usize) / (2 : usize));
+    _17 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 283 22 283 48] _18 < _19);
+    switch (_17)
+      | False -> goto BB9
       | _ -> goto BB7
       end
   }
   BB7 {
-    _22 <- borrow_mut (Type.creusat_watches_watches_Watches_watches ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Watches_Watches a =  * self_1 in Type.CreuSat_Watches_Watches ( ^ _22)) };
-    _26 <- clause_11;
-    _25 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 146 29 146 38] Index1.index _26 (0 : usize));
+    _22 <- Type.creusat_solver_solver_Solver_slow ( * self_1);
+    _23 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 283 51 283 68] (100 : usize) = (0 : usize));
+    assert { not _23 };
     goto BB8
   }
   BB8 {
-    _24 <- _25;
-    _23 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 146 29 146 56] ToNegWatchidx0.to_neg_watchidx _24);
-    goto BB9
+    _21 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 283 51 283 68] _22 / (100 : usize));
+    slow_16 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 283 51 283 74] _21 * (125 : usize));
+    goto BB10
   }
   BB9 {
-    _21 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 146 16 146 57] IndexMut0.index_mut _22 _23);
+    slow_16 <- Type.creusat_solver_solver_Solver_slow ( * self_1);
     goto BB10
   }
   BB10 {
-    _20 <- borrow_mut ( * _21);
-    _21 <- { _21 with current = ( ^ _20) };
-    _28 <- i_5;
-    _31 <- clause_11;
-    _30 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 146 91 146 100] Index1.index _31 (1 : usize));
-    goto BB11
+    _28 <-  * trail_4;
+    _27 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 284 11 284 33] DecisionLevel0.decision_level _28);
+    goto BB14
   }
   BB11 {
-    _29 <- _30;
-    _27 <- Type.CreuSat_Watches_Watcher _28 _29;
-    _19 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 146 16 146 103] Push0.push _20 _27);
-    goto BB12
+    _25 <- false;
+    goto BB13
   }
   BB12 {
-    assume { Resolve0.resolve _21 };
-    _35 <- borrow_mut (Type.creusat_watches_watches_Watches_watches ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Watches_Watches a =  * self_1 in Type.CreuSat_Watches_Watches ( ^ _35)) };
-    _39 <- clause_11;
-    _38 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 147 29 147 38] Index1.index _39 (1 : usize));
+    _30 <- Type.creusat_solver_solver_Solver_fast ( * self_1);
+    _31 <- slow_16;
+    _29 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 284 41 284 57] _30 > _31);
+    _25 <- _29;
     goto BB13
   }
   BB13 {
-    _37 <- _38;
-    _36 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 147 29 147 56] ToNegWatchidx0.to_neg_watchidx _37);
-    goto BB14
+    switch (_25)
+      | False -> goto BB21
+      | _ -> goto BB15
+      end
   }
   BB14 {
-    _34 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 147 16 147 57] IndexMut0.index_mut _35 _36);
-    goto BB15
+    _26 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 284 11 284 37] _27 > (0 : usize));
+    switch (_26)
+      | False -> goto BB11
+      | _ -> goto BB12
+      end
   }
   BB15 {
-    _33 <- borrow_mut ( * _34);
-    _34 <- { _34 with current = ( ^ _33) };
-    _41 <- i_5;
-    _44 <- clause_11;
-    _43 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 147 91 147 100] Index1.index _44 (0 : usize));
-    goto BB16
+    _32 <- slow_16;
+    self_1 <- { self_1 with current = (let Type.CreuSat_Solver_Solver a b c d e f g h =  * self_1 in Type.CreuSat_Solver_Solver a b c d e _32 g h) };
+    _35 <- Type.creusat_solver_solver_Solver_num_lemmas ( * self_1);
+    _36 <- Type.creusat_solver_solver_Solver_max_lemmas ( * self_1);
+    _34 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 286 15 286 48] _35 > _36);
+    switch (_34)
+      | False -> goto BB18
+      | _ -> goto BB16
+      end
   }
   BB16 {
-    _42 <- _43;
-    _40 <- Type.CreuSat_Watches_Watcher _41 _42;
-    _32 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 147 16 147 103] Push0.push _33 _40);
+    _38 <- borrow_mut ( * f_2);
+    f_2 <- { f_2 with current = ( ^ _38) };
+    _39 <- borrow_mut ( * w_5);
+    w_5 <- { w_5 with current = ( ^ _39) };
+    _40 <-  * trail_4;
+    _41 <- borrow_mut ( * self_1);
+    self_1 <- { self_1 with current = ( ^ _41) };
+    _37 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 287 16 287 42] ReduceDb0.reduceDB _38 _39 _40 _41);
     goto BB17
   }
   BB17 {
-    assume { Resolve0.resolve _34 };
-    _15 <- ();
+    assume { Resolve0.resolve self_1 };
+    assume { Resolve1.resolve w_5 };
+    _33 <- ();
     goto BB19
   }
   BB18 {
-    _15 <- ();
+    assume { Resolve0.resolve self_1 };
+    assume { Resolve1.resolve w_5 };
+    _33 <- ();
     goto BB19
   }
   BB19 {
-    i_5 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 149 12 149 18] i_5 + (1 : usize));
-    _6 <- ();
-    goto BB2
+    _43 <- borrow_mut ( * trail_4);
+    trail_4 <- { trail_4 with current = ( ^ _43) };
+    _44 <-  * f_2;
+    _45 <- borrow_mut ( * d_3);
+    d_3 <- { d_3 with current = ( ^ _45) };
+    _42 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 289 12 289 39] BacktrackTo0.backtrack_to _43 (0 : usize) _44 _45);
+    goto BB20
   }
   BB20 {
-    assume { Resolve1.resolve self_1 };
-    _0 <- ();
+    _24 <- ();
+    goto BB22
+  }
+  BB21 {
+    assume { Resolve0.resolve self_1 };
+    assume { Resolve1.resolve w_5 };
+    _24 <- ();
+    goto BB22
+  }
+  BB22 {
+    _48 <- borrow_mut ( * d_3);
+    d_3 <- { d_3 with current = ( ^ _48) };
+    _50 <- Type.creusat_trail_trail_Trail_assignments ( * trail_4);
+    _49 <- _50;
+    _51 <-  * f_2;
+    _47 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 292 14 292 47] GetNext0.get_next _48 _49 _51);
+    goto BB23
+  }
+  BB23 {
+    assume { Resolve2.resolve d_3 };
+    switch (_47)
+      | Type.Core_Option_Option_None -> goto BB24
+      | Type.Core_Option_Option_Some _ -> goto BB26
+      end
+  }
+  BB24 {
+    _59 <-  * f_2;
+    assume { Resolve3.resolve f_2 };
+    _61 <- Type.creusat_trail_trail_Trail_assignments ( * trail_4);
+    assume { Resolve4.resolve trail_4 };
+    _60 <- _61;
+    _58 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 301 19 301 47] IsSat0.is_sat _59 _60);
+    goto BB28
+  }
+  BB25 {
+    assume { Resolve3.resolve f_2 };
+    assume { Resolve4.resolve trail_4 };
+    absurd
+  }
+  BB26 {
+    next_53 <- Type.core_option_option_Some_0 _47;
+    _55 <- borrow_mut ( * trail_4);
+    trail_4 <- { trail_4 with current = ( ^ _55) };
+    _56 <- next_53;
+    _57 <-  * f_2;
+    assume { Resolve3.resolve f_2 };
+    _54 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 294 16 294 43] EnqDecision0.enq_decision _55 _56 _57);
+    goto BB27
+  }
+  BB27 {
+    assume { Resolve4.resolve trail_4 };
+    _46 <- ();
+    _0 <- Type.CreuSat_Solver_SatResult_Unknown;
+    goto BB35
+  }
+  BB28 {
+    switch (_58)
+      | False -> goto BB32
+      | _ -> goto BB29
+      end
+  }
+  BB29 {
+    _63 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 302 42 302 52] New0.new ());
+    goto BB30
+  }
+  BB30 {
+    _0 <- Type.CreuSat_Solver_SatResult_Sat _63;
+    goto BB31
+  }
+  BB31 {
+    goto BB33
+  }
+  BB32 {
+    _0 <- Type.CreuSat_Solver_SatResult_Err;
+    goto BB33
+  }
+  BB33 {
+    goto BB35
+  }
+  BB34 {
+    goto BB35
+  }
+  BB35 {
     return _0
   }
   
 end
-module CreuSat_Trail_Impl0_LearnUnits_Interface
+module CreuSat_Solver_Impl0_Inner_Interface
   use mach.int.UInt64
-  use Type
+  use mach.int.Int
   use prelude.Prelude
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable_Interface as NotSatisfiable0
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror_Interface as InvariantMirror0
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant_Interface as Invariant2 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  use mach.int.Int32
+  use Type
+  use prelude.UInt8
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_NotSatisfiable_Interface as NotSatisfiable0
+  clone CreuSat_Logic_LogicFormula_Impl2_EventuallySatCompleteNoAss_Interface as EventuallySatCompleteNoAss0
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicFormula_Impl2_SatInner_Interface as SatInner0
+  clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model0 with type t = uint8, type a = Type.alloc_alloc_global,
   axiom .
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant3
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant2
   clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant1
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant0
-  val learn_units [@cfg:stackify] (self : borrowed (Type.creusat_trail_trail)) (f : Type.creusat_formula_formula) (d : borrowed (Type.creusat_decision_decisions)) : Type.core_option_option bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 329 4 329 42] Invariant0.invariant' ( * self) f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 330 4 330 48] Invariant1.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 331 4 331 30] Invariant2.invariant' f}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 329 4 329 42] Invariant0.invariant' ( ^ self) f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 330 4 330 48] Invariant1.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 332 4 335 7] match (result) with
-      | Type.Core_Option_Option_Some (True) -> NotSatisfiable0.not_satisfiable f
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val inner [@cfg:stackify] (self : borrowed (Type.creusat_solver_solver)) (formula : borrowed (Type.creusat_formula_formula)) (decisions : Type.creusat_decision_decisions) (trail : Type.creusat_trail_trail) (watches : Type.creusat_watches_watches) : Type.creusat_solver_satresult
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 313 4 313 50] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * formula)) < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 314 4 314 36] Invariant0.invariant' ( * formula)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 315 4 315 55] Invariant1.invariant' decisions (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * formula)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 316 4 316 42] Invariant2.invariant' trail ( * formula)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 317 4 317 44] Invariant3.invariant' watches ( * formula)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 318 4 318 55] Invariant1.invariant' decisions (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * formula)))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 319 4 323 7] match (result) with
+      | Type.CreuSat_Solver_SatResult_Sat v -> SatInner0.sat_inner ( ^ formula) (Model0.model v) /\ Equisat0.equisat ( * formula) ( ^ formula) /\ EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass ( * formula)
+      | Type.CreuSat_Solver_SatResult_Unsat -> NotSatisfiable0.not_satisfiable ( ^ formula) /\ Equisat0.equisat ( * formula) ( ^ formula)
       | _ -> true
       end }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 324 4 324 41] Equisat0.equisat ( * formula) ( ^ formula) }
     
 end
-module CreuSat_Trail_Impl0_LearnUnits
+module CreuSat_Solver_Impl0_Inner
   use mach.int.UInt64
-  use Type
-  use prelude.Prelude
   use mach.int.Int
+  use prelude.Prelude
+  use mach.int.Int32
+  use Type
   use prelude.UInt8
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
+  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
+  clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner2 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
   function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant6 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model5 with function Model0.model = Model8.model
-  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model5.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant3 with function Model0.model = Model5.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = Type.creusat_lit_lit,
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model10 with type t = Type.creusat_lit_lit,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model4 with function Model0.model = Model7.model
-  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner1 with function Model0.model = Model4.model,
-  predicate SatInner0.sat_inner = SatInner0.sat_inner
+  clone CreuSat_Logic_LogicClause_Impl0_Model as Model7 with function Model0.model = Model10.model
+  clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner1 with function Model0.model = Model7.model,
+  predicate SatInner0.sat_inner = SatInner2.sat_inner
   clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
-  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
-  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
-  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model4.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner0.sat_inner,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant5 with function Model0.model = Model4.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model0.model = Model4.model
-  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model4.model,
+  clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
   function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant7 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant7.invariant'
+  clone CreuSat_Logic_Logic_Unset as Unset0
+  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
+  clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss1 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
+  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
+  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
   clone CreusotContracts_Std1_Vec_Impl0_Model as Model6 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant7 with function Model0.model = Model6.model,
-  function Model1.model = Model4.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant4 with predicate Invariant0.invariant' = Invariant6.invariant',
-  predicate Invariant1.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant4.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
+  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant8 with function Model0.model = Model6.model,
+  function Model1.model = Model7.model
+  clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner2.sat_inner
+  clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model7.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner2.sat_inner,
+  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
+  clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model7.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic
   clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model6.model,
   predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
+  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant6 with predicate Invariant0.invariant' = Invariant7.invariant',
+  predicate Invariant1.invariant' = Invariant8.invariant'
+  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant6.invariant'
+  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
+  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
+  clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss1.eventually_sat_complete_no_ass
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = Type.creusat_watches_watcher,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model8 with function Model0.model = Model0.model
+  clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model8.model,
+  predicate SatInner0.sat_inner = SatInner2.sat_inner
+  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
   clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model6.model,
-  function Model1.model = Model4.model, predicate Sat0.sat = Sat0.sat
+  function Model1.model = Model7.model, predicate Sat0.sat = Sat0.sat
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model3 with type t = usize, type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model3.model,
+  predicate Sorted0.sorted = Sorted0.sorted
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_trail_step,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model4.model,
+  function Model1.model = Model8.model,
+  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
   clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model6.model,
   function IndexLogic0.index_logic = IndexLogic0.index_logic,
   predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model3 with function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicClause_Impl2_EquisatExtension as EquisatExtension0 with function Model0.model = Model3.model,
-  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable as NotSatisfiable0 with function Model0.model = Model4.model,
-  predicate EquisatExtension0.equisat_extension = EquisatExtension0.equisat_extension
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model6.model,
-  predicate Invariant0.invariant' = Invariant5.invariant', function Model1.model = Model4.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant2 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
-  function Model0.model = Model3.model,
-  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_decision_node,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant1 with function Model0.model = Model2.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model1.model,
-  function Model1.model = Model5.model,
-  predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model1.model,
+  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model4.model,
   predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model1.model,
+  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model4.model,
   predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model0.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model5.model,
-  function Model1.model = Model1.model, predicate Invariant0.invariant' = Invariant4.invariant',
-  function Model2.model = Model0.model, function Model3.model = Model6.model,
+  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
+  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
+  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant5 with function Model0.model = Model8.model
+  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant4 with function Model0.model = Model7.model,
+  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
+  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model1 with function Model0.model = Model6.model
+  clone CreuSat_Logic_LogicClause_Impl2_EquisatExtension as EquisatExtension0 with function Model0.model = Model1.model,
+  predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner
+  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model9.model,
+  function Model1.model = Model6.model, function Model2.model = Model7.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model5 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model8.model,
+  function Model1.model = Model4.model, predicate Invariant0.invariant' = Invariant6.invariant',
+  function Model2.model = Model3.model, function Model3.model = Model6.model,
   predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in,
   predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner,
   predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
   predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
   predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
   clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
-  predicate Invariant0.invariant' = Invariant3.invariant', function Model0.model = Model1.model,
-  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model0.model,
+  predicate Invariant0.invariant' = Invariant5.invariant', function Model0.model = Model4.model,
+  predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model3.model,
   predicate LitToLevelInvariant0.lit_to_level_invariant = LitToLevelInvariant0.lit_to_level_invariant,
   predicate LitNotInLess0.lit_not_in_less = LitNotInLess0.lit_not_in_less,
-  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model5.model,
+  predicate LitIsUnique0.lit_is_unique = LitIsUnique0.lit_is_unique, function Model2.model = Model8.model,
   predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
   predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
   predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
   predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant0 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
-  function Model0.model = Model0.model, function Model1.model = Model1.model,
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_decision_node,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant4.invariant',
+  function Model0.model = Model7.model
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror as InvariantMirror0 with function Model0.model = Model6.model,
+  predicate Invariant0.invariant' = Invariant4.invariant', function Model1.model = Model7.model
+  clone CreuSat_Logic_LogicFormula_Impl2_NotSatisfiable as NotSatisfiable0 with function Model0.model = Model7.model,
+  predicate EquisatExtension0.equisat_extension = EquisatExtension0.equisat_extension
+  clone CreuSat_Logic_LogicFormula_Impl2_SatInner as SatInner0 with function Model0.model = Model6.model,
+  predicate SatInner0.sat_inner = SatInner1.sat_inner
+  clone CreuSat_Logic_LogicFormula_Impl2_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
+  predicate SatInner0.sat_inner = SatInner0.sat_inner
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant3 with function Model0.model = Model5.model,
+  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant2 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
+  function Model0.model = Model3.model, function Model1.model = Model4.model,
   predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant1 with function Model0.model = Model2.model
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  function Model0.model = Model1.model,
+  predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
+  use mach.int.Int64
+  clone CreusotContracts_Logic_Resolve_Impl2_Resolve as Resolve6 with type t = uint8
+  clone CreuSat_Logic_LogicAssignments_Impl1_Complete as Complete0 with function Model0.model = Model8.model,
+  predicate Unset0.unset = Unset0.unset
+  clone CreuSat_Logic_LogicFormula_Impl2_Sat as Sat1 with function Model0.model = Model1.model,
+  function Model1.model = Model8.model,
+  predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
+  clone CreusotContracts_Std1_Vec_Impl1_Resolve as Resolve5 with type t = uint8, function Model0.model = Model0.model,
+  predicate Resolve0.resolve = Resolve6.resolve
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve4 with type t = Type.creusat_formula_formula
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve3 with type t = Type.creusat_solver_solver
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = Type.creusat_watches_watches
   clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_trail_trail
   clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_decision_decisions
-  clone CreuSat_Logic_LogicAssignments_Impl0_ModelTy as ModelTy2
-  clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy1
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreuSat_Logic_LogicLit_Impl1_UnsetInner as UnsetInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl1_Unsat as Unsat0 with function Model0.model = Model5.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicLit_Impl1_Unset as Unset1 with function Model0.model = Model5.model,
-  predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model11 with type t = Type.creusat_assignments_assignments,
-  type ModelTy0.modelTy = ModelTy2.modelTy, function Model0.model = Model5.model
-  clone CreuSat_Lit_Impl1_LitUnsat_Interface as LitUnsat0 with function Model0.model = Model11.model,
-  predicate Invariant0.invariant' = Invariant6.invariant', predicate Unsat0.unsat = Unsat0.unsat
-  clone CreuSat_Lit_Impl1_LitSet_Interface as LitSet0 with function Model0.model = Model11.model,
-  predicate Invariant0.invariant' = Invariant6.invariant', predicate Unset0.unset = Unset1.unset
-  clone CreuSat_Logic_LogicClause_Impl2_UnsatInner as UnsatInner1 with function Model0.model = Model4.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
-  clone CreuSat_Logic_LogicClause_Impl2_Unsat as Unsat1 with function Model0.model = Model5.model,
-  predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model10 with type t = Type.creusat_clause_clause,
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model4.model
-  clone CreuSat_Clause_Impl0_Index_Interface as Index1 with function Model0.model = Model10.model
-  clone CreuSat_Clause_Impl3_Len_Interface as Len1 with function Model0.model = Model10.model
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, function Model0.model = Model6.model
-  clone CreusotContracts_Logic_Model_Impl0_Model as Model9 with type t = Type.creusat_formula_formula,
-  type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model3.model
-  clone CreuSat_Formula_Impl0_Index_Interface as Index0 with function Model0.model = Model9.model
-  clone CreuSat_Trail_Impl0_LearnUnit_Interface as LearnUnit0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant2.invariant',
-  function Model0.model = Model6.model, function Model1.model = Model4.model,
-  predicate Invariant3.invariant' = Invariant5.invariant', function Model2.model = Model1.model,
-  function Model3.model = Model5.model,
-  predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
-  predicate Sat0.sat = Sat0.sat, predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_ConflictAnalysis_ResolveEmptyClause_Interface as ResolveEmptyClause0 with predicate Invariant0.invariant' = Invariant2.invariant',
-  predicate Invariant1.invariant' = Invariant0.invariant', function Model0.model = Model6.model,
-  predicate Unsat0.unsat = Unsat1.unsat, predicate NotSatisfiable0.not_satisfiable = NotSatisfiable0.not_satisfiable,
+  clone CreuSat_Solver_Impl0_OuterLoop_Interface as OuterLoop0 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant2.invariant', predicate Invariant2.invariant' = Invariant3.invariant',
+  predicate Invariant3.invariant' = Invariant1.invariant', predicate Equisat0.equisat = Equisat0.equisat,
+  predicate Sat0.sat = Sat1.sat, predicate Complete0.complete = Complete0.complete,
+  predicate NotSatisfiable0.not_satisfiable = NotSatisfiable0.not_satisfiable,
   predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg learn_units [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 336 4 336 81] (self : borrowed (Type.creusat_trail_trail)) (f : Type.creusat_formula_formula) (d : borrowed (Type.creusat_decision_decisions)) : Type.core_option_option bool
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 329 4 329 42] Invariant0.invariant' ( * self) f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 330 4 330 48] Invariant1.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 331 4 331 30] Invariant2.invariant' f}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 329 4 329 42] Invariant0.invariant' ( ^ self) f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 330 4 330 48] Invariant1.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 332 4 335 7] match (result) with
-      | Type.Core_Option_Option_Some (True) -> NotSatisfiable0.not_satisfiable f
+  let rec cfg inner [@cfg:stackify] [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 325 4 327 18] (self : borrowed (Type.creusat_solver_solver)) (formula : borrowed (Type.creusat_formula_formula)) (decisions : Type.creusat_decision_decisions) (trail : Type.creusat_trail_trail) (watches : Type.creusat_watches_watches) : Type.creusat_solver_satresult
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 313 4 313 50] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * formula)) < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 314 4 314 36] Invariant0.invariant' ( * formula)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 315 4 315 55] Invariant1.invariant' decisions (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * formula)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 316 4 316 42] Invariant2.invariant' trail ( * formula)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 317 4 317 44] Invariant3.invariant' watches ( * formula)}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 318 4 318 55] Invariant1.invariant' decisions (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * formula)))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 319 4 323 7] match (result) with
+      | Type.CreuSat_Solver_SatResult_Sat v -> SatInner0.sat_inner ( ^ formula) (Model0.model v) /\ Equisat0.equisat ( * formula) ( ^ formula) /\ EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass ( * formula)
+      | Type.CreuSat_Solver_SatResult_Unsat -> NotSatisfiable0.not_satisfiable ( ^ formula) /\ Equisat0.equisat ( * formula) ( ^ formula)
       | _ -> true
       end }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 324 4 324 41] Equisat0.equisat ( * formula) ( ^ formula) }
     
-   =
-  var _0 : Type.core_option_option bool;
-  var self_1 : borrowed (Type.creusat_trail_trail);
-  var f_2 : Type.creusat_formula_formula;
-  var d_3 : borrowed (Type.creusat_decision_decisions);
-  var _4 : ();
-  var i_5 : usize;
-  ghost var old_d_6 : borrowed (Type.creusat_decision_decisions);
+   = [@vc:do_not_keep_trace] [@vc:sp]
+  var _0 : Type.creusat_solver_satresult;
+  var self_1 : borrowed (Type.creusat_solver_solver);
+  var formula_2 : borrowed (Type.creusat_formula_formula);
+  var decisions_3 : Type.creusat_decision_decisions;
+  var trail_4 : Type.creusat_trail_trail;
+  var watches_5 : Type.creusat_watches_watches;
+  ghost var old_f_6 : borrowed (Type.creusat_formula_formula);
   var _7 : ();
-  ghost var old_self_8 : borrowed (Type.creusat_trail_trail);
+  var _8 : ();
   var _9 : ();
-  var _10 : ();
-  var _11 : ();
-  var _12 : bool;
-  var _13 : usize;
-  var _14 : usize;
-  var _15 : Type.alloc_vec_vec (Type.creusat_clause_clause) (Type.alloc_alloc_global);
-  var clause_16 : Type.creusat_clause_clause;
-  var _17 : Type.creusat_clause_clause;
-  var _18 : Type.creusat_formula_formula;
-  var _19 : usize;
+  var _10 : Type.creusat_solver_satresult;
+  var _11 : borrowed (Type.creusat_solver_solver);
+  var _12 : borrowed (Type.creusat_formula_formula);
+  var _13 : borrowed (Type.creusat_decision_decisions);
+  var _14 : borrowed (Type.creusat_decision_decisions);
+  var _15 : borrowed (Type.creusat_trail_trail);
+  var _16 : borrowed (Type.creusat_trail_trail);
+  var _17 : borrowed (Type.creusat_watches_watches);
+  var _18 : borrowed (Type.creusat_watches_watches);
+  var _19 : isize;
   var _20 : ();
-  var _21 : bool;
-  var _22 : usize;
-  var _23 : Type.creusat_clause_clause;
-  var lit_24 : Type.creusat_lit_lit;
-  var _25 : Type.creusat_lit_lit;
-  var _26 : Type.creusat_clause_clause;
-  var _27 : bool;
-  var _28 : Type.creusat_lit_lit;
-  var _29 : Type.creusat_assignments_assignments;
-  var _30 : Type.creusat_assignments_assignments;
-  var _31 : bool;
-  var _32 : Type.creusat_lit_lit;
-  var _33 : Type.creusat_assignments_assignments;
-  var _34 : Type.creusat_assignments_assignments;
-  var _35 : ();
-  var _36 : bool;
-  var _37 : Type.creusat_formula_formula;
-  var _38 : Type.creusat_trail_trail;
-  var _39 : usize;
-  var _40 : Type.core_result_result () ();
-  var _41 : borrowed (Type.creusat_trail_trail);
-  var _42 : usize;
-  var _43 : Type.creusat_formula_formula;
-  var _44 : borrowed (Type.creusat_decision_decisions);
-  var _45 : ();
-  var _46 : ();
-  var _47 : ();
+  var _21 : Type.alloc_vec_vec uint8 (Type.alloc_alloc_global);
+  var o_22 : Type.creusat_solver_satresult;
+  var _23 : ();
   {
     self_1 <- self;
-    f_2 <- f;
-    d_3 <- d;
+    formula_2 <- formula;
+    decisions_3 <- decisions;
+    trail_4 <- trail;
+    watches_5 <- watches;
     goto BB0
   }
   BB0 {
-    i_5 <- (0 : usize);
-    _7 <- ();
-    old_d_6 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 338 20 338 32] d_3);
     goto BB1
   }
   BB1 {
-    _9 <- ();
-    old_self_8 <- ghost ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 339 23 339 38] self_1);
     goto BB2
   }
   BB2 {
     goto BB3
   }
   BB3 {
-    invariant self_inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 340 8 340 50] Invariant0.invariant' ( * self_1) f_2 };
-    invariant proph { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 341 8 341 55]  ^ old_self_8 =  ^ self_1 };
-    invariant proph_d { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 342 8 342 51]  ^ old_d_6 =  ^ d_3 };
-    invariant d_inv { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 343 8 343 53] Invariant1.invariant' ( * d_3) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f_2)) };
-    _13 <- i_5;
-    _15 <- Type.creusat_formula_formula_Formula_clauses f_2;
-    _14 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 344 18 344 33] Len0.len _15);
     goto BB4
   }
   BB4 {
-    _12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 344 14 344 33] _13 < _14);
-    switch (_12)
-      | False -> goto BB21
-      | _ -> goto BB5
-      end
+    _7 <- ();
+    old_f_6 <- ghost ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 328 20 328 38] formula_2);
+    goto BB5
   }
   BB5 {
-    _18 <- f_2;
-    _19 <- i_5;
-    _17 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 345 26 345 30] Index0.index _18 _19);
     goto BB6
   }
   BB6 {
-    clause_16 <- _17;
-    _23 <- clause_16;
-    _22 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 346 15 346 27] Len1.len _23);
     goto BB7
   }
   BB7 {
-    _21 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 346 15 346 32] _22 = (1 : usize));
-    switch (_21)
-      | False -> goto BB19
-      | _ -> goto BB8
-      end
+    goto BB8
   }
   BB8 {
-    _26 <- clause_16;
-    _25 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 347 26 347 35] Index1.index _26 (0 : usize));
     goto BB9
   }
   BB9 {
-    lit_24 <- _25;
-    _28 <- lit_24;
-    _30 <- Type.creusat_trail_trail_Trail_assignments ( * self_1);
-    _29 <- _30;
-    _27 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 348 19 348 49] LitSet0.lit_set _28 _29);
+    invariant equi { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 329 8 329 59] Equisat0.equisat ( * old_f_6) ( * formula_2) };
+    invariant num_vars { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 330 8 330 68] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * formula_2)) = UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * old_f_6)) };
+    invariant maintains_f { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 331 8 331 54] Invariant0.invariant' ( * formula_2) };
+    invariant maintains_t { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 332 8 332 60] Invariant2.invariant' trail_4 ( * formula_2) };
+    invariant maintains_w { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 333 8 333 62] Invariant3.invariant' watches_5 ( * formula_2) };
+    invariant maintains_d { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 334 8 334 73] Invariant1.invariant' decisions_3 (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars ( * formula_2))) };
+    invariant proph_f { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 335 8 335 57]  ^ formula_2 =  ^ old_f_6 };
+    _11 <- borrow_mut ( * self_1);
+    self_1 <- { self_1 with current = ( ^ _11) };
+    _12 <- borrow_mut ( * formula_2);
+    formula_2 <- { formula_2 with current = ( ^ _12) };
+    _14 <- borrow_mut decisions_3;
+    decisions_3 <-  ^ _14;
+    _13 <- borrow_mut ( * _14);
+    _14 <- { _14 with current = ( ^ _13) };
+    _16 <- borrow_mut trail_4;
+    trail_4 <-  ^ _16;
+    _15 <- borrow_mut ( * _16);
+    _16 <- { _16 with current = ( ^ _15) };
+    _18 <- borrow_mut watches_5;
+    watches_5 <-  ^ _18;
+    _17 <- borrow_mut ( * _18);
+    _18 <- { _18 with current = ( ^ _17) };
+    _10 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 337 18 337 84] OuterLoop0.outer_loop _11 _12 _13 _15 _17);
     goto BB10
   }
   BB10 {
-    switch (_27)
-      | False -> goto BB16
+    assume { Resolve0.resolve _14 };
+    assume { Resolve1.resolve _16 };
+    assume { Resolve2.resolve _18 };
+    switch (_10)
+      | Type.CreuSat_Solver_SatResult_Sat _ -> goto BB13
+      | Type.CreuSat_Solver_SatResult_Unknown -> goto BB12
       | _ -> goto BB11
       end
   }
   BB11 {
-    _32 <- lit_24;
-    _34 <- Type.creusat_trail_trail_Trail_assignments ( * self_1);
-    _33 <- _34;
-    _31 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 349 23 349 55] LitUnsat0.lit_unsat _32 _33);
-    goto BB12
+    assume { Resolve3.resolve self_1 };
+    assume { Resolve4.resolve formula_2 };
+    o_22 <- _10;
+    _0 <- o_22;
+    goto BB16
   }
   BB12 {
-    switch (_31)
-      | False -> goto BB15
-      | _ -> goto BB13
-      end
+    _9 <- ();
+    goto BB15
   }
   BB13 {
-    assume { Resolve0.resolve d_3 };
-    _37 <- f_2;
-    _38 <-  * self_1;
-    assume { Resolve1.resolve self_1 };
-    _39 <- i_5;
-    _36 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 353 36 353 68] ResolveEmptyClause0.resolve_empty_clause _37 _38 _39);
+    assume { Resolve3.resolve self_1 };
+    assume { Resolve4.resolve formula_2 };
+    assume { Resolve5.resolve _21 };
+    _21 <- Type.creusat_assignments_assignments_Assignments_0 (Type.creusat_trail_trail_Trail_assignments trail_4);
+    _0 <- Type.CreuSat_Solver_SatResult_Sat _21;
     goto BB14
   }
   BB14 {
-    _0 <- Type.Core_Option_Option_Some _36;
-    goto BB22
+    goto BB17
   }
   BB15 {
-    _20 <- ();
-    goto BB18
+    goto BB9
   }
   BB16 {
-    _41 <- borrow_mut ( * self_1);
-    self_1 <- { self_1 with current = ( ^ _41) };
-    _42 <- i_5;
-    _43 <- f_2;
-    _44 <- borrow_mut ( * d_3);
-    d_3 <- { d_3 with current = ( ^ _44) };
-    _40 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 356 20 356 44] LearnUnit0.learn_unit _41 _42 _43 _44);
     goto BB17
   }
   BB17 {
-    _20 <- ();
     goto BB18
   }
   BB18 {
-    goto BB20
+    goto BB19
   }
   BB19 {
-    _20 <- ();
     goto BB20
   }
   BB20 {
-    i_5 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/trail.rs" 359 12 359 18] i_5 + (1 : usize));
-    _11 <- ();
-    goto BB3
+    goto BB21
   }
   BB21 {
-    assume { Resolve1.resolve self_1 };
-    assume { Resolve0.resolve d_3 };
-    _10 <- ();
-    _0 <- Type.Core_Option_Option_None;
-    goto BB22
-  }
-  BB22 {
     return _0
   }
   
+end
+module CreuSat_Trail_Impl0_New_Interface
+  use prelude.Prelude
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant2
+  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  val new [@cfg:stackify] (f : Type.creusat_formula_formula) (a : Type.creusat_assignments_assignments) : Type.creusat_trail_trail
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 42 4 42 30] Invariant0.invariant' f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 43 4 43 32] Invariant1.invariant' a f}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 44 4 44 36] Invariant2.invariant' result f }
+    
+end
+module CreuSat_Watches_Impl0_New_Interface
+  use prelude.Prelude
+  use Type
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant0
+  val new [@cfg:stackify] (f : Type.creusat_formula_formula) : Type.creusat_watches_watches
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 74 4 74 36] Invariant0.invariant' result f }
+    
+end
+module CreuSat_Watches_Impl0_InitWatches_Interface
+  use mach.int.UInt64
+  use mach.int.Int
+  use prelude.Prelude
+  use mach.int.Int32
+  use Type
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant1 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant0
+  val init_watches [@cfg:stackify] (self : borrowed (Type.creusat_watches_watches)) (f : Type.creusat_formula_formula) : ()
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 132 4 132 42] Invariant0.invariant' ( * self) f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 133 4 133 44] UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f) < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 134 4 134 30] Invariant1.invariant' f}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 132 4 132 42] Invariant0.invariant' ( ^ self) f }
+    
+end
+module CreuSat_Trail_Impl0_LearnUnits_Interface
+  use mach.int.UInt64
+  use Type
+  use prelude.Prelude
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror_Interface as InvariantMirror0
+  clone CreuSat_Logic_LogicFormula_Impl2_NotSatisfiable_Interface as NotSatisfiable0
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant_Interface as Invariant2 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  axiom .
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant_Interface as Invariant1
+  clone CreuSat_Logic_LogicTrail_Impl2_Invariant_Interface as Invariant0
+  val learn_units [@cfg:stackify] (self : borrowed (Type.creusat_trail_trail)) (f : Type.creusat_formula_formula) (d : borrowed (Type.creusat_decision_decisions)) : Type.core_option_option bool
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 329 4 329 42] Invariant0.invariant' ( * self) f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 330 4 330 48] Invariant1.invariant' ( * d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 331 4 331 30] Invariant2.invariant' f}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 329 4 329 42] Invariant0.invariant' ( ^ self) f }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 330 4 330 48] Invariant1.invariant' ( ^ d) (UInt64.to_int (Type.creusat_formula_formula_Formula_num_vars f)) }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/trail.rs" 332 4 335 7] match (result) with
+      | Type.Core_Option_Option_Some (True) -> NotSatisfiable0.not_satisfiable f
+      | _ -> true
+      end }
+    
 end
 module CreuSat_Solver_Solver_Interface
   use Type
   use prelude.Prelude
   use mach.int.Int
   use prelude.UInt8
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable_Interface as NotSatisfiable0
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat_Interface as Equisat0
+  clone CreuSat_Logic_LogicFormula_Impl2_NotSatisfiable_Interface as NotSatisfiable0
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat_Interface as Equisat0
   clone CreuSat_Logic_LogicFormula_FormulaSatInner_Interface as FormulaSatInner0
   clone CreusotContracts_Std1_Vec_Impl0_Model_Interface as Model1 with type t = uint8, type a = Type.alloc_alloc_global,
   axiom .
   clone CreuSat_Logic_LogicFormula_Impl0_Model_Interface as Model0
   val solver [@cfg:stackify] (formula : borrowed (Type.creusat_formula_formula)) : Type.creusat_solver_satresult
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 351 0 355 3] match (result) with
-      | Type.CreuSat_Solver_SatResult_Sat assn -> FormulaSatInner0.formula_sat_inner (Model0.model ( ^ formula)) (Model1.model assn) && Equisat0.equisat ( * formula) ( ^ formula)
-      | Type.CreuSat_Solver_SatResult_Unsat -> NotSatisfiable0.not_satisfiable ( ^ formula) && Equisat0.equisat ( * formula) ( ^ formula)
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 351 0 355 3] match (result) with
+      | Type.CreuSat_Solver_SatResult_Sat assn -> FormulaSatInner0.formula_sat_inner (Model0.model ( ^ formula)) (Model1.model assn) /\ Equisat0.equisat ( * formula) ( ^ formula)
+      | Type.CreuSat_Solver_SatResult_Unsat -> NotSatisfiable0.not_satisfiable ( ^ formula) /\ Equisat0.equisat ( * formula) ( ^ formula)
       | _ -> true
       end }
     
@@ -24340,8 +8220,6 @@ module CreuSat_Solver_Solver
   use prelude.Prelude
   use mach.int.Int
   use prelude.UInt8
-  clone CreuSat_Logic_Logic_Unset as Unset0
-  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
   clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
   clone CreuSat_Logic_LogicLit_Impl1_SatInner as SatInner1 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
@@ -24352,85 +8230,80 @@ module CreuSat_Solver_Solver
   clone CreuSat_Logic_LogicClause_Impl2_SatInner as SatInner0 with function Model0.model = Model3.model,
   predicate SatInner0.sat_inner = SatInner1.sat_inner
   clone CreuSat_Logic_LogicFormula_FormulaSatInner as FormulaSatInner0 with predicate SatInner0.sat_inner = SatInner0.sat_inner
+  clone CreuSat_Logic_Logic_Unset as Unset0
+  clone CreuSat_Logic_LogicAssignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset
   clone CreuSat_Logic_LogicFormula_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss1 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
   predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner
   clone CreuSat_Logic_LogicClause_EquisatExtensionInner as EquisatExtensionInner0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss1.eventually_sat_complete_no_ass
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
   clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl1_SatInner as SatInner2 with function Model0.model = Model2.model,
+  clone CreuSat_Logic_LogicFormula_Impl2_SatInner as SatInner2 with function Model0.model = Model2.model,
   predicate SatInner0.sat_inner = SatInner0.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
-  predicate SatInner0.sat_inner = SatInner2.sat_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
   clone CreuSat_Logic_LogicFormula_Impl0_Model as Model0 with function Model0.model = Model2.model
   clone CreuSat_Logic_LogicClause_Impl2_EquisatExtension as EquisatExtension0 with function Model0.model = Model0.model,
   predicate EquisatExtensionInner0.equisat_extension_inner = EquisatExtensionInner0.equisat_extension_inner
-  clone CreuSat_Logic_LogicFormula_Impl1_NotSatisfiable as NotSatisfiable0 with function Model0.model = Model3.model,
+  clone CreuSat_Logic_LogicFormula_Impl2_EventuallySatCompleteNoAss as EventuallySatCompleteNoAss0 with predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner,
+  predicate SatInner0.sat_inner = SatInner2.sat_inner
+  clone CreuSat_Logic_LogicFormula_Impl2_NotSatisfiable as NotSatisfiable0 with function Model0.model = Model3.model,
   predicate EquisatExtension0.equisat_extension = EquisatExtension0.equisat_extension
+  clone CreuSat_Logic_LogicFormula_Impl2_Equisat as Equisat0 with predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = uint8, type a = Type.alloc_alloc_global, axiom .
   use mach.int.Int64
   use mach.int.UInt64
-  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
-  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model11 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model10 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = Type.creusat_decision_node,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant3 with function Model0.model = Model9.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_trail_step,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = usize, type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model7.model,
-  predicate Sorted0.sorted = Sorted0.sorted
-  clone CreuSat_Solver_Impl0_New_Interface as New4
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_decision_decisions
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_formula_formula
-  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
-  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant7 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant7.invariant'
-  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
-  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
-  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model8.model,
-  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
   clone CreuSat_Logic_LogicLit_Impl1_UnsatInner as UnsatInner0 with function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic,
   function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicUtil_SortedRange as SortedRange0
+  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant8 with function Model0.model = Model2.model,
+  function Model1.model = Model3.model
+  clone CreuSat_Logic_LogicLit_Impl1_Invariant as Invariant7 with function IndexLogic0.index_logic = IndexLogic0.index_logic
   clone CreuSat_Logic_LogicTrail_TrailEntriesAreAssignedInner as TrailEntriesAreAssignedInner0 with predicate SatInner0.sat_inner = SatInner1.sat_inner
   clone CreuSat_Logic_LogicTrail_ClausePostWithRegardsToInner as ClausePostWithRegardsToInner0 with function Model0.model = Model3.model,
   function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate SatInner0.sat_inner = SatInner1.sat_inner,
   predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner
   clone CreuSat_Logic_LogicLit_Impl1_LitIdxIn as LitIdxIn0 with function Model0.model = Model3.model,
   function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant5 with function Model0.model = Model3.model,
-  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
-  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant5.invariant',
-  function Model0.model = Model3.model
+  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model2.model,
+  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
+  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant6 with predicate Invariant0.invariant' = Invariant7.invariant',
+  predicate Invariant1.invariant' = Invariant8.invariant'
+  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant6.invariant'
+  clone CreuSat_Logic_LogicClause_NoDuplicateIndexesInner as NoDuplicateIndexesInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicClause_VarsInRangeInner as VarsInRangeInner0 with predicate Invariant0.invariant' = Invariant7.invariant'
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model11 with type t = Type.creusat_watches_watcher,
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicUtil_Sorted as Sorted0 with predicate SortedRange0.sorted_range = SortedRange0.sorted_range
   clone CreuSat_Logic_LogicAssignments_Impl0_Model as Model6 with function Model0.model = Model1.model
   clone CreuSat_Logic_LogicLit_Impl1_Sat as Sat0 with function Model0.model = Model6.model,
   predicate SatInner0.sat_inner = SatInner1.sat_inner
+  clone CreuSat_Logic_LogicTrail_LitIsUniqueInner as LitIsUniqueInner0 with function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model2.model,
+  function Model1.model = Model3.model, predicate Sat0.sat = Sat0.sat
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model7 with type t = usize, type a = Type.alloc_alloc_global, axiom .
+  clone CreuSat_Logic_LogicTrail_Impl2_DecisionsAreSorted as DecisionsAreSorted0 with function Model0.model = Model7.model,
+  predicate Sorted0.sorted = Sorted0.sorted
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model8 with type t = Type.creusat_trail_step,
+  type a = Type.alloc_alloc_global, axiom .
   clone CreuSat_Logic_LogicTrail_Impl2_TrailEntriesAreAssigned as TrailEntriesAreAssigned0 with function Model0.model = Model8.model,
   function Model1.model = Model6.model,
   predicate TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner = TrailEntriesAreAssignedInner0.trail_entries_are_assigned_inner
-  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant1 with function Model0.model = Model6.model
-  clone CreuSat_Logic_LogicTrail_Impl0_Invariant as Invariant8 with function Model0.model = Model2.model,
-  function Model1.model = Model3.model
-  clone CreuSat_Logic_LogicTrail_Impl1_Invariant as Invariant6 with predicate Invariant0.invariant' = Invariant7.invariant',
-  predicate Invariant1.invariant' = Invariant8.invariant'
-  clone CreuSat_Logic_LogicTrail_CrefsInRange as CrefsInRange0 with predicate Invariant0.invariant' = Invariant6.invariant'
-  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
-  clone CreuSat_Logic_LogicTrail_LitNotInLessInner as LitNotInLessInner0 with function Model0.model = Model2.model,
-  predicate LitIdxIn0.lit_idx_in = LitIdxIn0.lit_idx_in
-  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model8.model,
-  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
-  clone CreuSat_Logic_LogicTrail_UnitAreSat as UnitAreSat0 with function Model0.model = Model2.model,
-  function Model1.model = Model3.model, predicate Sat0.sat = Sat0.sat
   clone CreuSat_Logic_LogicTrail_LongArePostUnitInner as LongArePostUnitInner0 with function Model0.model = Model2.model,
   function IndexLogic0.index_logic = IndexLogic0.index_logic,
   predicate ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner = ClausePostWithRegardsToInner0.clause_post_with_regards_to_inner
+  clone CreuSat_Logic_LogicTrail_Impl2_LitIsUnique as LitIsUnique0 with function Model0.model = Model8.model,
+  predicate LitIsUniqueInner0.lit_is_unique_inner = LitIsUniqueInner0.lit_is_unique_inner
+  clone CreuSat_Logic_LogicTrail_Impl2_LitNotInLess as LitNotInLess0 with function Model0.model = Model8.model,
+  predicate LitNotInLessInner0.lit_not_in_less_inner = LitNotInLessInner0.lit_not_in_less_inner
+  clone CreuSat_Logic_LogicTrail_LitToLevelInvariant as LitToLevelInvariant0
+  clone CreuSat_Logic_LogicTrail_TrailInvariant as TrailInvariant0 with predicate CrefsInRange0.crefs_in_range = CrefsInRange0.crefs_in_range
+  clone CreuSat_Logic_LogicClause_InvariantInternal as InvariantInternal0 with predicate VarsInRangeInner0.vars_in_range_inner = VarsInRangeInner0.vars_in_range_inner,
+  predicate NoDuplicateIndexesInner0.no_duplicate_indexes_inner = NoDuplicateIndexesInner0.no_duplicate_indexes_inner
+  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model11.model,
+  function Model1.model = Model2.model, function Model2.model = Model3.model,
+  function IndexLogic0.index_logic = IndexLogic0.index_logic
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model10 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
+  type a = Type.alloc_alloc_global, axiom .
+  clone CreusotContracts_Std1_Vec_Impl0_Model as Model9 with type t = Type.creusat_decision_node,
+  type a = Type.alloc_alloc_global, axiom .
   clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecisionMirror as InvariantNoDecisionMirror0 with function Model0.model = Model6.model,
   function Model1.model = Model8.model, predicate Invariant0.invariant' = Invariant6.invariant',
   function Model2.model = Model7.model, function Model3.model = Model2.model,
@@ -24439,6 +8312,7 @@ module CreuSat_Solver_Solver
   predicate LongArePostUnitInner0.long_are_post_unit_inner = LongArePostUnitInner0.long_are_post_unit_inner,
   predicate Sat0.sat = Sat0.sat, predicate Sorted0.sorted = Sorted0.sorted,
   predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat
+  clone CreuSat_Logic_LogicAssignments_Impl1_Invariant as Invariant1 with function Model0.model = Model6.model
   clone CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision as InvariantNoDecision0 with predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror,
   predicate Invariant0.invariant' = Invariant1.invariant', function Model0.model = Model8.model,
   predicate TrailInvariant0.trail_invariant = TrailInvariant0.trail_invariant, function Model1.model = Model7.model,
@@ -24449,32 +8323,22 @@ module CreuSat_Solver_Solver
   predicate TrailEntriesAreAssigned0.trail_entries_are_assigned = TrailEntriesAreAssigned0.trail_entries_are_assigned,
   predicate DecisionsAreSorted0.decisions_are_sorted = DecisionsAreSorted0.decisions_are_sorted,
   predicate UnitAreSat0.unit_are_sat = UnitAreSat0.unit_are_sat, axiom .
+  clone CreuSat_Logic_LogicClause_Impl2_Invariant as Invariant5 with function Model0.model = Model3.model,
+  predicate InvariantInternal0.invariant_internal = InvariantInternal0.invariant_internal
+  clone CreuSat_Logic_LogicFormula_FormulaInvariant as FormulaInvariant0 with predicate Invariant0.invariant' = Invariant5.invariant',
+  function Model0.model = Model3.model
+  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant4 with function Model0.model = Model10.model,
+  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
+  clone CreuSat_Logic_LogicDecision_Impl0_Invariant as Invariant3 with function Model0.model = Model9.model
   clone CreuSat_Logic_LogicTrail_Impl2_Invariant as Invariant2 with predicate InvariantNoDecision0.invariant_no_decision = InvariantNoDecision0.invariant_no_decision,
   function Model0.model = Model7.model, function Model1.model = Model8.model,
   predicate InvariantNoDecisionMirror0.invariant_no_decision_mirror = InvariantNoDecisionMirror0.invariant_no_decision_mirror
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model11.model,
-  function Model1.model = Model2.model, function Model2.model = Model3.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant4 with function Model0.model = Model10.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreuSat_Watches_Impl0_New_Interface as New3 with predicate Invariant0.invariant' = Invariant4.invariant'
-  clone CreuSat_Logic_LogicFormula_Impl1_InvariantMirror as InvariantMirror0 with function Model0.model = Model2.model,
+  clone CreuSat_Logic_LogicFormula_Impl2_InvariantMirror as InvariantMirror0 with function Model0.model = Model2.model,
   predicate Invariant0.invariant' = Invariant5.invariant', function Model1.model = Model3.model
-  clone CreuSat_Logic_LogicFormula_Impl1_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
+  clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicFormula_Impl2_Invariant as Invariant0 with predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror,
   function Model0.model = Model0.model,
   predicate FormulaInvariant0.formula_invariant = FormulaInvariant0.formula_invariant, axiom .
-  clone CreuSat_Watches_Impl0_InitWatches_Interface as InitWatches0 with predicate Invariant0.invariant' = Invariant4.invariant',
-  predicate Invariant1.invariant' = Invariant0.invariant',
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_Decision_Impl1_New_Interface as New2 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant3.invariant',
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_Trail_Impl0_New_Interface as New1 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant2.invariant',
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  clone CreuSat_Assignments_Impl2_New_Interface as New0 with predicate Invariant0.invariant' = Invariant0.invariant',
-  predicate Invariant1.invariant' = Invariant1.invariant',
-  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
   clone CreusotContracts_Logic_Model_Impl0_Model as Model5 with type t = Type.creusat_formula_formula,
   type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model0.model
   clone CreuSat_Solver_Impl0_Inner_Interface as Inner0 with predicate Invariant0.invariant' = Invariant0.invariant',
@@ -24484,24 +8348,40 @@ module CreuSat_Solver_Solver
   predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass,
   predicate NotSatisfiable0.not_satisfiable = NotSatisfiable0.not_satisfiable,
   predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  clone CreuSat_Solver_Impl0_New_Interface as New4
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.creusat_decision_decisions
   clone CreuSat_Trail_Impl0_LearnUnits_Interface as LearnUnits0 with predicate Invariant0.invariant' = Invariant2.invariant',
   predicate Invariant1.invariant' = Invariant3.invariant', predicate Invariant2.invariant' = Invariant0.invariant',
   predicate NotSatisfiable0.not_satisfiable = NotSatisfiable0.not_satisfiable,
   predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  clone CreuSat_Watches_Impl0_InitWatches_Interface as InitWatches0 with predicate Invariant0.invariant' = Invariant4.invariant',
+  predicate Invariant1.invariant' = Invariant0.invariant',
+  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  clone CreuSat_Watches_Impl0_New_Interface as New3 with predicate Invariant0.invariant' = Invariant4.invariant'
+  clone CreuSat_Decision_Impl1_New_Interface as New2 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant3.invariant',
+  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  clone CreuSat_Trail_Impl0_New_Interface as New1 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant1.invariant', predicate Invariant2.invariant' = Invariant2.invariant',
+  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  clone CreuSat_Assignments_Impl2_New_Interface as New0 with predicate Invariant0.invariant' = Invariant0.invariant',
+  predicate Invariant1.invariant' = Invariant1.invariant',
+  predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
+  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_formula_formula
   clone CreuSat_Formula_Impl2_CheckFormulaInvariant_Interface as CheckFormulaInvariant0 with function Model0.model = Model5.model,
   function Model1.model = Model1.model,
   predicate FormulaSatInner0.formula_sat_inner = FormulaSatInner0.formula_sat_inner,
   predicate NotSatisfiable0.not_satisfiable = NotSatisfiable0.not_satisfiable,
   predicate Invariant0.invariant' = Invariant0.invariant',
   predicate InvariantMirror0.invariant_mirror = InvariantMirror0.invariant_mirror
-  let rec cfg solver [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 356 0 356 49] (formula : borrowed (Type.creusat_formula_formula)) : Type.creusat_solver_satresult
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 351 0 355 3] match (result) with
-      | Type.CreuSat_Solver_SatResult_Sat assn -> FormulaSatInner0.formula_sat_inner (Model0.model ( ^ formula)) (Model1.model assn) && Equisat0.equisat ( * formula) ( ^ formula)
-      | Type.CreuSat_Solver_SatResult_Unsat -> NotSatisfiable0.not_satisfiable ( ^ formula) && Equisat0.equisat ( * formula) ( ^ formula)
+  let rec cfg solver [@cfg:stackify] [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 356 0 356 49] (formula : borrowed (Type.creusat_formula_formula)) : Type.creusat_solver_satresult
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 351 0 355 3] match (result) with
+      | Type.CreuSat_Solver_SatResult_Sat assn -> FormulaSatInner0.formula_sat_inner (Model0.model ( ^ formula)) (Model1.model assn) /\ Equisat0.equisat ( * formula) ( ^ formula)
+      | Type.CreuSat_Solver_SatResult_Unsat -> NotSatisfiable0.not_satisfiable ( ^ formula) /\ Equisat0.equisat ( * formula) ( ^ formula)
       | _ -> true
       end }
     
-   =
+   = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : Type.creusat_solver_satresult;
   var formula_1 : borrowed (Type.creusat_formula_formula);
   var _2 : ();
@@ -24543,7 +8423,7 @@ module CreuSat_Solver_Solver
   }
   BB0 {
     _4 <-  * formula_1;
-    _3 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 357 10 357 43] CheckFormulaInvariant0.check_formula_invariant _4);
+    _3 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 357 10 357 43] CheckFormulaInvariant0.check_formula_invariant _4);
     goto BB1
   }
   BB1 {
@@ -24565,28 +8445,28 @@ module CreuSat_Solver_Solver
   BB4 {
     _9 <-  * formula_1;
     _11 <-  * formula_1;
-    _10 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 361 40 361 65] New0.new _11);
+    _10 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 361 40 361 65] New0.new _11);
     goto BB5
   }
   BB5 {
-    trail_8 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 361 20 361 66] New1.new _9 _10);
+    trail_8 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 361 20 361 66] New1.new _9 _10);
     goto BB6
   }
   BB6 {
     _13 <-  * formula_1;
-    decisions_12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 362 24 362 47] New2.new _13);
+    decisions_12 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 362 24 362 47] New2.new _13);
     goto BB7
   }
   BB7 {
     _15 <-  * formula_1;
-    watches_14 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 363 22 363 43] New3.new _15);
+    watches_14 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 363 22 363 43] New3.new _15);
     goto BB8
   }
   BB8 {
     _17 <- borrow_mut watches_14;
     watches_14 <-  ^ _17;
     _18 <-  * formula_1;
-    _16 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 364 4 364 33] InitWatches0.init_watches _17 _18);
+    _16 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 364 4 364 33] InitWatches0.init_watches _17 _18);
     goto BB9
   }
   BB9 {
@@ -24597,7 +8477,7 @@ module CreuSat_Solver_Solver
     decisions_12 <-  ^ _24;
     _23 <- borrow_mut ( * _24);
     _24 <- { _24 with current = ( ^ _23) };
-    _20 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 365 10 365 52] LearnUnits0.learn_units _21 _22 _23);
+    _20 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 365 10 365 52] LearnUnits0.learn_units _21 _22 _23);
     goto BB10
   }
   BB10 {
@@ -24625,7 +8505,7 @@ module CreuSat_Solver_Solver
   BB14 {
     _19 <- ();
     _29 <-  * formula_1;
-    solver_28 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 370 21 370 41] New4.new _29);
+    solver_28 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 370 21 370 41] New4.new _29);
     goto BB16
   }
   BB15 {
@@ -24640,7 +8520,7 @@ module CreuSat_Solver_Solver
     _32 <- decisions_12;
     _33 <- trail_8;
     _34 <- watches_14;
-    _0 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/solver.rs" 371 4 371 52] Inner0.inner _30 _31 _32 _33 _34);
+    _0 <- ([#"/Users/xavier/Code/sat/CreuSAT/src/solver.rs" 371 4 371 52] Inner0.inner _30 _31 _32 _33 _34);
     goto BB17
   }
   BB17 {
@@ -24697,146 +8577,14 @@ module CreuSat_Watches_Impl0_MoveToEnd_Interface
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic_Interface as IndexLogic0
   clone CreuSat_Logic_LogicWatches_Impl0_Invariant_Interface as Invariant0
   val move_to_end [@cfg:stackify] (self : borrowed (Type.creusat_watches_watches)) (old_idx : usize) (old_pos : usize) (new_lit : Type.creusat_lit_lit) (_f : Type.creusat_formula_formula) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 118 4 118 43] Invariant0.invariant' ( * self) _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 119 4 119 54] IndexLogic0.index_logic new_lit < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 120 4 120 72] ToNegWatchidxLogic0.to_neg_watchidx_logic new_lit < Seq.length (Model0.model (Type.creusat_watches_watches_Watches_watches ( * self)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 121 4 121 49] UInt64.to_int old_idx < Seq.length (Model0.model (Type.creusat_watches_watches_Watches_watches ( * self)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 122 4 122 62] UInt64.to_int old_pos < Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_watches_watches_Watches_watches ( * self))) (UInt64.to_int old_idx)))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 118 4 118 43] Invariant0.invariant' ( ^ self) _f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 123 4 123 93] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_watches_watches_Watches_watches ( ^ self))) (UInt64.to_int old_idx))) = Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_watches_watches_Watches_watches ( * self))) (UInt64.to_int old_idx))) }
-    
-end
-module CreuSat_Watches_Impl0_MoveToEnd
-  use mach.int.Int
-  use prelude.Prelude
-  use mach.int.UInt64
-  use mach.int.Int32
-  use seq.Seq
-  use Type
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model4 with type t = Type.creusat_lit_lit,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model3 with function Model0.model = Model4.model
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_clause_clause,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model1 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
-  clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
-  clone CreuSat_Logic_LogicWatches_WatchesInvariantInternal as WatchesInvariantInternal0 with function Model0.model = Model1.model,
-  function Model1.model = Model2.model, function Model2.model = Model3.model,
-  function IndexLogic0.index_logic = IndexLogic0.index_logic
-  clone CreuSat_Logic_LogicLit_Impl0_ToNegWatchidxLogic as ToNegWatchidxLogic0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
-  function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicWatches_Impl0_Invariant as Invariant0 with function Model0.model = Model0.model,
-  predicate WatchesInvariantInternal0.watches_invariant_internal = WatchesInvariantInternal0.watches_invariant_internal
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve2 with type t = seq (Type.creusat_watches_watcher)
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy1 with type t = Type.creusat_watches_watcher
-  clone CreusotContracts_Std1_Slice_Impl0_Model as Model5 with type t = Type.creusat_watches_watcher, axiom .
-  clone CreusotContracts_Logic_Model_Impl1_Model as Model6 with type t = seq (Type.creusat_watches_watcher),
-  type ModelTy0.modelTy = ModelTy1.modelTy, function Model0.model = Model5.model
-  clone Core_Slice_Impl0_Swap_Interface as Swap0 with type t = Type.creusat_watches_watcher,
-  function Model0.model = Model6.model, function Model1.model = Model5.model
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve1 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_ResolveElswhere as ResolveElswhere0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Logic_Resolve_Impl1_Resolve as Resolve0 with type t = Type.creusat_watches_watches
-  clone CreusotContracts_Std1_Slice_Impl0_ModelTy as ModelTy0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone Core_Slice_Index_Impl2_Output as Output0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_HasValue as HasValue0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone CreusotContracts_Std1_Slice_Impl3_InBounds as InBounds0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)
-  clone Alloc_Vec_Impl11_DerefMut_Interface as DerefMut0 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, function Model0.model = Model5.model, function Model1.model = Model1.model
-  clone Alloc_Vec_Impl1_Len_Interface as Len0 with type t = Type.creusat_watches_watcher,
-  type a = Type.alloc_alloc_global, function Model0.model = Model1.model
-  clone Alloc_Vec_Impl17_IndexMut_Interface as IndexMut0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type i = usize, type a = Type.alloc_alloc_global, function Model0.model = Model0.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = Output0.output
-  clone Alloc_Vec_Impl16_Index_Interface as Index0 with type t = Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global),
-  type i = usize, type a = Type.alloc_alloc_global, function Model0.model = Model0.model,
-  predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value,
-  type Output0.output = Output0.output
-  let rec cfg move_to_end [@cfg:stackify] [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 124 4 124 93] (self : borrowed (Type.creusat_watches_watches)) (old_idx : usize) (old_pos : usize) (new_lit : Type.creusat_lit_lit) (_f : Type.creusat_formula_formula) : ()
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 118 4 118 43] Invariant0.invariant' ( * self) _f}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 119 4 119 54] IndexLogic0.index_logic new_lit < div 18446744073709551615 2}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 120 4 120 72] ToNegWatchidxLogic0.to_neg_watchidx_logic new_lit < Seq.length (Model0.model (Type.creusat_watches_watches_Watches_watches ( * self)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 121 4 121 49] UInt64.to_int old_idx < Seq.length (Model0.model (Type.creusat_watches_watches_Watches_watches ( * self)))}
-    requires {[#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 122 4 122 62] UInt64.to_int old_pos < Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_watches_watches_Watches_watches ( * self))) (UInt64.to_int old_idx)))}
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 118 4 118 43] Invariant0.invariant' ( ^ self) _f }
-    ensures { [#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 123 4 123 93] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_watches_watches_Watches_watches ( ^ self))) (UInt64.to_int old_idx))) = Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_watches_watches_Watches_watches ( * self))) (UInt64.to_int old_idx))) }
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 118 4 118 43] Invariant0.invariant' ( * self) _f}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 119 4 119 54] IndexLogic0.index_logic new_lit < div 18446744073709551615 2}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 120 4 120 72] ToNegWatchidxLogic0.to_neg_watchidx_logic new_lit < Seq.length (Model0.model (Type.creusat_watches_watches_Watches_watches ( * self)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 121 4 121 49] UInt64.to_int old_idx < Seq.length (Model0.model (Type.creusat_watches_watches_Watches_watches ( * self)))}
+    requires {[#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 122 4 122 62] UInt64.to_int old_pos < Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_watches_watches_Watches_watches ( * self))) (UInt64.to_int old_idx)))}
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 118 4 118 43] Invariant0.invariant' ( ^ self) _f }
+    ensures { [#"/Users/xavier/Code/sat/CreuSAT/src/watches.rs" 123 4 123 93] Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_watches_watches_Watches_watches ( ^ self))) (UInt64.to_int old_idx))) = Seq.length (Model1.model (Seq.get (Model0.model (Type.creusat_watches_watches_Watches_watches ( * self))) (UInt64.to_int old_idx))) }
     
-   =
-  var _0 : ();
-  var self_1 : borrowed (Type.creusat_watches_watches);
-  var old_idx_2 : usize;
-  var old_pos_3 : usize;
-  var new_lit_4 : Type.creusat_lit_lit;
-  var _f_5 : Type.creusat_formula_formula;
-  var end'_6 : usize;
-  var _7 : usize;
-  var _8 : Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global);
-  var _9 : Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global);
-  var _10 : Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global);
-  var _11 : usize;
-  var _12 : ();
-  var _13 : borrowed (seq (Type.creusat_watches_watcher));
-  var _14 : borrowed (seq (Type.creusat_watches_watcher));
-  var _15 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _16 : borrowed (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global));
-  var _17 : borrowed (Type.alloc_vec_vec (Type.alloc_vec_vec (Type.creusat_watches_watcher) (Type.alloc_alloc_global)) (Type.alloc_alloc_global));
-  var _18 : usize;
-  var _19 : usize;
-  var _20 : usize;
-  {
-    self_1 <- self;
-    old_idx_2 <- old_idx;
-    old_pos_3 <- old_pos;
-    new_lit_4 <- new_lit;
-    _f_5 <- _f;
-    goto BB0
-  }
-  BB0 {
-    _10 <- Type.creusat_watches_watches_Watches_watches ( * self_1);
-    _11 <- old_idx_2;
-    _9 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 125 18 125 39] Index0.index _10 _11);
-    goto BB1
-  }
-  BB1 {
-    _8 <- _9;
-    _7 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 125 18 125 45] Len0.len _8);
-    goto BB2
-  }
-  BB2 {
-    end'_6 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 125 18 125 49] _7 - (1 : usize));
-    _17 <- borrow_mut (Type.creusat_watches_watches_Watches_watches ( * self_1));
-    self_1 <- { self_1 with current = (let Type.CreuSat_Watches_Watches a =  * self_1 in Type.CreuSat_Watches_Watches ( ^ _17)) };
-    assume { Resolve0.resolve self_1 };
-    _18 <- old_idx_2;
-    _16 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 126 8 126 29] IndexMut0.index_mut _17 _18);
-    goto BB3
-  }
-  BB3 {
-    _15 <- borrow_mut ( * _16);
-    _16 <- { _16 with current = ( ^ _15) };
-    assume { Resolve1.resolve _16 };
-    _14 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 126 8 126 48] DerefMut0.deref_mut _15);
-    goto BB4
-  }
-  BB4 {
-    _13 <- borrow_mut ( * _14);
-    _14 <- { _14 with current = ( ^ _13) };
-    _19 <- old_pos_3;
-    _20 <- end'_6;
-    _12 <- ([#"/Users/e34402/Code/CreuSAT/CreuSAT/src/watches.rs" 126 8 126 48] Swap0.swap _13 _19 _20);
-    goto BB5
-  }
-  BB5 {
-    assume { Resolve2.resolve _14 };
-    _0 <- ();
-    return _0
-  }
-  
 end
 module CreuSat_Clause_Impl1
   use Type
@@ -24845,9 +8593,9 @@ module CreuSat_Clause_Impl1
   use mach.int.UInt64
   clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_lit_lit,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model2.model
   clone CreuSat_Clause_Impl0_Output as Output0
   clone CreuSat_Logic_LogicClause_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicClause_Impl0_Model as Model1 with function Model0.model = Model2.model
   clone CreusotContracts_Logic_Model_Impl1_Model as Model0 with type t = Type.creusat_clause_clause,
   type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
   clone CreuSat_Clause_Impl1_IndexMut_Interface as IndexMut0 with function Model0.model = Model0.model,
@@ -24862,9 +8610,9 @@ module CreuSat_Formula_Impl1
   use mach.int.UInt64
   clone CreusotContracts_Std1_Vec_Impl0_Model as Model2 with type t = Type.creusat_clause_clause,
   type a = Type.alloc_alloc_global, axiom .
-  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model1 with function Model0.model = Model2.model
   clone CreuSat_Formula_Impl0_Output as Output0
   clone CreuSat_Logic_LogicFormula_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Logic_LogicFormula_Impl0_Model as Model1 with function Model0.model = Model2.model
   clone CreusotContracts_Logic_Model_Impl1_Model as Model0 with type t = Type.creusat_formula_formula,
   type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
   clone CreuSat_Formula_Impl1_IndexMut_Interface as IndexMut0 with function Model0.model = Model0.model,
@@ -24878,13 +8626,6 @@ module Core_Clone_Clone_CloneFrom_Interface
   val clone_from [@cfg:stackify] (self : borrowed self) (source : self) : ()
     requires {false}
     
-end
-module Core_Clone_Clone_CloneFrom
-  type self
-  use prelude.Prelude
-  val clone_from [@cfg:stackify] (self : borrowed self) (source : self) : ()
-    requires {false}
-    
 end
 module Core_Clone_Clone_Clone_Interface
   type self
@@ -24892,13 +8633,6 @@ module Core_Clone_Clone_Clone_Interface
   val clone' [@cfg:stackify] (self : self) : self
     requires {false}
     
-end
-module Core_Clone_Clone_Clone
-  type self
-  use prelude.Prelude
-  val clone' [@cfg:stackify] (self : self) : self
-    requires {false}
-    
 end
 module CreuSat_Decision_Impl2
   use Type
@@ -24926,8 +8660,8 @@ module CreuSat_Lit_Impl0_ModelTy
 end
 module CreuSat_Lit_Impl0
   use Type
-  clone CreuSat_Lit_Impl0_Model as Model0
   clone CreuSat_Lit_Impl0_ModelTy as ModelTy0
+  clone CreuSat_Lit_Impl0_Model as Model0
   clone CreusotContracts_Logic_Model_Model_Model_Interface as Model1 with type self = Type.creusat_lit_lit,
   function model = Model0.model, type ModelTy0.modelTy = ModelTy0.modelTy
   clone CreusotContracts_Logic_Model_Model_ModelTy as ModelTy1 with type self = Type.creusat_lit_lit,
@@ -24940,14 +8674,6 @@ module Core_Cmp_PartialEq_Ne_Interface
   val ne [@cfg:stackify] (self : self) (other : rhs) : bool
     requires {false}
     
-end
-module Core_Cmp_PartialEq_Ne
-  type self
-  type rhs
-  use prelude.Prelude
-  val ne [@cfg:stackify] (self : self) (other : rhs) : bool
-    requires {false}
-    
 end
 module Core_Cmp_PartialEq_Eq_Interface
   type self
@@ -24961,27 +8687,14 @@ module Core_Cmp_PartialEq_Eq_Interface
   val eq [@cfg:stackify] (self : self) (other : rhs) : bool
     ensures { result = (Model0.model self = Model1.model other) }
     
-end
-module Core_Cmp_PartialEq_Eq
-  type self
-  type rhs
-  use prelude.Prelude
-  clone CreusotContracts_Logic_Model_Model_ModelTy as ModelTy0 with type self = self
-  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model1 with type t = rhs,
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  clone CreusotContracts_Logic_Model_Impl0_Model_Interface as Model0 with type t = self,
-  type ModelTy0.modelTy = ModelTy0.modelTy
-  val eq [@cfg:stackify] (self : self) (other : rhs) : bool
-    ensures { result = (Model0.model self = Model1.model other) }
-    
 end
 module CreuSat_Lit_Impl2
   use Type
   clone CreuSat_Lit_Impl0_Model as Model1
-  clone Core_Cmp_PartialEq_Ne_Interface as Ne0 with type self = Type.creusat_lit_lit, type rhs = Type.creusat_lit_lit
   clone CreuSat_Lit_Impl0_ModelTy as ModelTy0
   clone CreusotContracts_Logic_Model_Impl0_Model as Model0 with type t = Type.creusat_lit_lit,
   type ModelTy0.modelTy = ModelTy0.modelTy, function Model0.model = Model1.model
+  clone Core_Cmp_PartialEq_Ne_Interface as Ne0 with type self = Type.creusat_lit_lit, type rhs = Type.creusat_lit_lit
   clone CreuSat_Lit_Impl2_Eq_Interface as Eq0
   clone Core_Cmp_PartialEq_Eq_Interface as Eq1 with type self = Type.creusat_lit_lit, type rhs = Type.creusat_lit_lit,
   val eq = Eq0.eq, function Model0.model = Model0.model, function Model1.model = Model0.model,
@@ -25002,21 +8715,14 @@ module Core_Ops_Bit_Not_Not_Interface
   val not' [@cfg:stackify] (self : self) : Output0.output
     requires {false}
     
-end
-module Core_Ops_Bit_Not_Not
-  type self
-  clone Core_Ops_Bit_Not_Output as Output0 with type self = self
-  val not' [@cfg:stackify] (self : self) : Output0.output
-    requires {false}
-    
 end
 module CreuSat_Lit_Impl3
   use Type
   clone CreuSat_Logic_LogicLit_Impl0_IsPositiveLogic as IsPositiveLogic0
   clone CreuSat_Logic_LogicLit_Impl0_IndexLogic as IndexLogic0
+  clone CreuSat_Lit_Impl3_Output as Output0
   clone CreuSat_Lit_Impl3_Not_Interface as Not0 with function IndexLogic0.index_logic = IndexLogic0.index_logic,
   function IsPositiveLogic0.is_positive_logic = IsPositiveLogic0.is_positive_logic
-  clone CreuSat_Lit_Impl3_Output as Output0
   clone Core_Ops_Bit_Not_Not_Interface as Not1 with type self = Type.creusat_lit_lit, val not' = Not0.not',
   type Output0.output = Output0.output
   clone Core_Ops_Bit_Not_Output as Output1 with type self = Type.creusat_lit_lit, type output = Output0.output
diff --git a/mlcfgs/CreuSAT/why3session.xml b/mlcfgs/CreuSAT/why3session.xml
index 2a2293f8..c0f3f654 100644
--- a/mlcfgs/CreuSAT/why3session.xml
+++ b/mlcfgs/CreuSAT/why3session.xml
@@ -5,10272 +5,681 @@
 <prover id="2" name="Alt-Ergo" version="2.4.1" timelimit="1" steplimit="0" memlimit="1000"/>
 <prover id="3" name="Z3" version="4.8.14" timelimit="1" steplimit="0" memlimit="1000"/>
 <prover id="4" name="CVC4" version="1.8" timelimit="1" steplimit="0" memlimit="1000"/>
-<file format="mlcfg" proved="true">
+<file format="mlcfg">
 <path name=".."/><path name="CreuSAT.mlcfg"/>
-<theory name="CreuSat_Solver_Impl0_New" proved="true">
- <goal name="new&#39;vc" expl="VC for new" proved="true">
- <proof prover="2"><result status="valid" time="0.01" steps="38"/></proof>
- </goal>
-</theory>
 <theory name="CreuSat_Solver_Impl0_IncreaseNumConflicts" proved="true">
  <goal name="increase_num_conflicts&#39;vc" expl="VC for increase_num_conflicts" proved="true">
- <proof prover="2"><result status="valid" time="0.01" steps="72"/></proof>
+ <proof prover="2"><result status="valid" time="0.01" steps="64"/></proof>
  </goal>
 </theory>
 <theory name="CreuSat_Solver_Impl0_IncreaseNumLemmas" proved="true">
  <goal name="increase_num_lemmas&#39;vc" expl="VC for increase_num_lemmas" proved="true">
- <proof prover="2"><result status="valid" time="0.02" steps="72"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Util_UpdateFast" proved="true">
- <goal name="update_fast&#39;vc" expl="VC for update_fast" proved="true">
- <proof prover="3"><result status="valid" time="0.06" steps="104340"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Util_UpdateSlow" proved="true">
- <goal name="update_slow&#39;vc" expl="VC for update_slow" proved="true">
- <proof prover="3"><result status="valid" time="0.06" steps="105326"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Assignments_Impl0_Index" proved="true">
- <goal name="index&#39;vc" expl="VC for index" proved="true">
- <proof prover="2"><result status="valid" time="0.02" steps="100"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Assignments_Impl1_IndexMut" proved="true">
- <goal name="index_mut&#39;vc" expl="VC for index_mut" proved="true">
- <proof prover="2"><result status="valid" time="0.04" steps="490"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Assignments_Impl2_Len" proved="true">
- <goal name="len&#39;vc" expl="VC for len" proved="true">
- <proof prover="2"><result status="valid" time="0.02" steps="111"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Logic_LogicFormula_Impl1_Invariant_Impl" proved="true">
- <goal name="invariant&#39;&#39;vc" expl="VC for invariant&#39;" proved="true">
- <proof prover="2"><result status="valid" time="0.04" steps="362"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Lit_Impl1_IsPositive" proved="true">
- <goal name="is_positive&#39;vc" expl="VC for is_positive" proved="true">
- <proof prover="2"><result status="valid" time="0.01" steps="30"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Lit_Impl1_Index" proved="true">
- <goal name="index&#39;vc" expl="VC for index" proved="true">
- <proof prover="2"><result status="valid" time="0.01" steps="32"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Assignments_Impl2_SetAssignment" proved="true">
- <goal name="set_assignment&#39;vc" expl="VC for set_assignment" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="set_assignment&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="188"/></proof>
-  </goal>
-  <goal name="set_assignment&#39;vc.1" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.38" steps="739714"/></proof>
-  </goal>
-  <goal name="set_assignment&#39;vc.2" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="set_assignment&#39;vc.2.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.49" steps="3318"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="set_assignment&#39;vc.3" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.12" steps="278670"/></proof>
-  </goal>
-  <goal name="set_assignment&#39;vc.4" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.10" steps="273260"/></proof>
-  </goal>
-  <goal name="set_assignment&#39;vc.5" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.12" steps="281728"/></proof>
-  </goal>
-  <goal name="set_assignment&#39;vc.6" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.12" steps="279519"/></proof>
-  </goal>
-  <goal name="set_assignment&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="188"/></proof>
-  </goal>
-  <goal name="set_assignment&#39;vc.8" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.38" steps="739654"/></proof>
-  </goal>
-  <goal name="set_assignment&#39;vc.9" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="set_assignment&#39;vc.9.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.40" steps="4520"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="set_assignment&#39;vc.10" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.13" steps="278605"/></proof>
-  </goal>
-  <goal name="set_assignment&#39;vc.11" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.10" steps="273198"/></proof>
-  </goal>
-  <goal name="set_assignment&#39;vc.12" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.14" steps="281669"/></proof>
-  </goal>
-  <goal name="set_assignment&#39;vc.13" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.12" steps="279459"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Assignments_Impl2_New" proved="true">
- <goal name="new&#39;vc" expl="VC for new" proved="true">
- <proof prover="2"><result status="valid" time="0.04" steps="319"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Clause_Impl0_Index" proved="true">
- <goal name="index&#39;vc" expl="VC for index" proved="true">
- <proof prover="2"><result status="valid" time="0.02" steps="90"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Clause_Impl1_IndexMut" proved="true">
- <goal name="index_mut&#39;vc" expl="VC for index_mut" proved="true">
- <proof prover="2"><result status="valid" time="0.05" steps="514"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Clause_Impl3_Len" proved="true">
- <goal name="len&#39;vc" expl="VC for len" proved="true">
- <proof prover="2"><result status="valid" time="0.02" steps="61"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Lit_Impl1_CheckLitInvariant" proved="true">
- <goal name="check_lit_invariant&#39;vc" expl="VC for check_lit_invariant" proved="true">
- <proof prover="2"><result status="valid" time="0.02" steps="151"/></proof>
+ <proof prover="2"><result status="valid" time="0.02" steps="64"/></proof>
  </goal>
 </theory>
 <theory name="CreuSat_Clause_Impl0" proved="true">
  <goal name="Index1.index&#39;refn&#39;vc" expl="VC for index&#39;refn" proved="true">
- <proof prover="2"><result status="valid" time="0.01" steps="28"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Clause_Impl3_NoDuplicates" proved="true">
- <goal name="no_duplicates&#39;vc" expl="VC for no_duplicates" proved="true">
- <proof prover="4"><result status="valid" time="0.65" steps="97511"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Clause_Impl3_CheckClauseInvariant" proved="true">
- <goal name="check_clause_invariant&#39;vc" expl="VC for check_clause_invariant" proved="true">
- <proof prover="2"><result status="valid" time="0.17" steps="1934"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Clause_Impl3_MoveToEnd" proved="true">
- <goal name="move_to_end&#39;vc" expl="VC for move_to_end" proved="true">
- <proof prover="2" timelimit="120" memlimit="8000"><result status="valid" time="34.60" steps="363022"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Clause_Impl3_RemoveFromClause" proved="true">
- <goal name="remove_from_clause&#39;vc" expl="VC for remove_from_clause" proved="true">
- <proof prover="2" timelimit="120" memlimit="8000"><result status="valid" time="4.79" steps="61714"/></proof>
+ <proof prover="2"><result status="valid" time="0.01" steps="20"/></proof>
  </goal>
 </theory>
 <theory name="CreuSat_Assignments_Impl0" proved="true">
  <goal name="Index1.index&#39;refn&#39;vc" expl="VC for index&#39;refn" proved="true">
- <proof prover="2"><result status="valid" time="0.01" steps="28"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Lit_Impl1_LitUnsat" proved="true">
- <goal name="lit_unsat&#39;vc" expl="VC for lit_unsat" proved="true">
- <proof prover="2"><result status="valid" time="0.05" steps="456"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Lit_Impl1_LitUnset" proved="true">
- <goal name="lit_unset&#39;vc" expl="VC for lit_unset" proved="true">
- <proof prover="2"><result status="valid" time="0.03" steps="307"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Clause_Impl3_UnitAndUnset" proved="true">
- <goal name="unit_and_unset&#39;vc" expl="VC for unit_and_unset" proved="true">
- <proof prover="2"><result status="valid" time="0.74" steps="6099"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Clause_Impl3_SwapLitsInClause" proved="true">
- <goal name="swap_lits_in_clause&#39;vc" expl="VC for swap_lits_in_clause" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="swap_lits_in_clause&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="98"/></proof>
-  </goal>
-  <goal name="swap_lits_in_clause&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="109"/></proof>
-  </goal>
-  <goal name="swap_lits_in_clause&#39;vc.2" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="71"/></proof>
-  </goal>
-  <goal name="swap_lits_in_clause&#39;vc.3" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="71"/></proof>
-  </goal>
-  <goal name="swap_lits_in_clause&#39;vc.4" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="swap_lits_in_clause&#39;vc.4.0" expl="assertion" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="3.08" steps="28865"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="swap_lits_in_clause&#39;vc.5" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="swap_lits_in_clause&#39;vc.5.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.07" steps="462"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="swap_lits_in_clause&#39;vc.6" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="327"/></proof>
-  </goal>
-  <goal name="swap_lits_in_clause&#39;vc.7" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="swap_lits_in_clause&#39;vc.7.0" expl="assertion" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="swap_lits_in_clause&#39;vc.7.0.0" expl="assertion" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="swap_lits_in_clause&#39;vc.7.0.0.0" expl="VC for swap_lits_in_clause" proved="true">
-     <proof prover="2"><result status="valid" time="0.09" steps="710"/></proof>
-     </goal>
-     <goal name="swap_lits_in_clause&#39;vc.7.0.0.1" expl="VC for swap_lits_in_clause" proved="true">
-     <proof prover="2"><result status="valid" time="0.10" steps="697"/></proof>
-     </goal>
-     <goal name="swap_lits_in_clause&#39;vc.7.0.0.2" expl="VC for swap_lits_in_clause" proved="true">
-     <proof prover="2"><result status="valid" time="0.10" steps="666"/></proof>
-     </goal>
-     <goal name="swap_lits_in_clause&#39;vc.7.0.0.3" expl="VC for swap_lits_in_clause" proved="true">
-     <proof prover="2"><result status="valid" time="0.10" steps="677"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="swap_lits_in_clause&#39;vc.8" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="812"/></proof>
-  </goal>
-  <goal name="swap_lits_in_clause&#39;vc.9" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="96"/></proof>
-  </goal>
-  <goal name="swap_lits_in_clause&#39;vc.10" expl="assertion" proved="true">
-  <transf name="inline_goal" proved="true" >
-   <goal name="swap_lits_in_clause&#39;vc.10.0" expl="assertion" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="swap_lits_in_clause&#39;vc.10.0.0" expl="assertion" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="swap_lits_in_clause&#39;vc.10.0.0.0" expl="assertion" proved="true">
-     <transf name="inline_goal" proved="true" >
-      <goal name="swap_lits_in_clause&#39;vc.10.0.0.0.0" expl="assertion" proved="true">
-      <transf name="split_all_full" proved="true" >
-       <goal name="swap_lits_in_clause&#39;vc.10.0.0.0.0.0" expl="assertion" proved="true">
-       <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.32" steps="152701"/></proof>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-    <goal name="swap_lits_in_clause&#39;vc.10.0.1" expl="assertion" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="swap_lits_in_clause&#39;vc.10.0.1.0" expl="assertion" proved="true">
-     <transf name="inline_goal" proved="true" >
-      <goal name="swap_lits_in_clause&#39;vc.10.0.1.0.0" expl="assertion" proved="true">
-      <transf name="split_all_full" proved="true" >
-       <goal name="swap_lits_in_clause&#39;vc.10.0.1.0.0.0" expl="assertion" proved="true">
-       <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.23" steps="147316"/></proof>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="swap_lits_in_clause&#39;vc.11" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="788"/></proof>
-  </goal>
-  <goal name="swap_lits_in_clause&#39;vc.12" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="178"/></proof>
-  </goal>
-  <goal name="swap_lits_in_clause&#39;vc.13" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="179"/></proof>
-  </goal>
-  <goal name="swap_lits_in_clause&#39;vc.14" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="184"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Clause_Impl3_CalcLbd" proved="true">
- <goal name="calc_lbd&#39;vc" expl="VC for calc_lbd" proved="true">
- <proof prover="3"><result status="valid" time="0.72" steps="1126945"/></proof>
- <proof prover="4"><result status="valid" time="0.63" steps="96142"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_ConflictAnalysis_IdxIn" proved="true">
- <goal name="idx_in&#39;vc" expl="VC for idx_in" proved="true">
- <proof prover="2"><result status="valid" time="0.03" steps="208"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Logic_LogicTrail_Impl2_InvariantNoDecision_Impl" proved="true">
- <goal name="invariant_no_decision&#39;vc" expl="VC for invariant_no_decision" proved="true">
- <proof prover="2"><result status="valid" time="0.12" steps="1235"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Logic_LogicConflictAnalysis_LemmaEqFormulas_Impl" proved="true">
- <goal name="lemma_eq_formulas&#39;vc" expl="VC for lemma_eq_formulas" proved="true">
- <proof prover="2"><result status="valid" time="0.04" steps="225"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Logic_LogicConflictAnalysis_LemmaResolventOfEquisatExtensionIsEquisat_Impl" proved="true">
- <goal name="lemma_resolvent_of_equisat_extension_is_equisat&#39;vc" expl="VC for lemma_resolvent_of_equisat_extension_is_equisat" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="lemma_resolvent_of_equisat_extension_is_equisat&#39;vc.0" expl="postcondition" proved="true">
-  <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="2.35" steps="15036"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Trail_Impl0_DecisionLevel" proved="true">
- <goal name="decision_level&#39;vc" expl="VC for decision_level" proved="true">
- <proof prover="2"><result status="valid" time="0.01" steps="37"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_ConflictAnalysis_Resolve" proved="true">
- <goal name="resolve&#39;vc" expl="VC for resolve" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="resolve&#39;vc.0" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="84"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="93"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="118"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="128"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.4" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="258"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="198"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.6" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="121"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.7" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="resolve&#39;vc.7.0" expl="assertion" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="resolve&#39;vc.7.0.0" expl="assertion" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="resolve&#39;vc.7.0.0.0" expl="assertion" proved="true">
-     <proof prover="2"><result status="valid" time="0.94" steps="8209"/></proof>
-     </goal>
-     <goal name="resolve&#39;vc.7.0.0.1" expl="assertion" proved="true">
-     <proof prover="2"><result status="valid" time="0.45" steps="3727"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.8" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="263"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.9" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="133"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.10" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="591"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.11" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="140"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.12" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.32" steps="3006"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.13" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.15" steps="1092"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.14" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.16" steps="1288"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.15" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="157"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.16" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="317"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.17" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.24" steps="1985"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.18" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="318"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.19" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="157"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.20" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="331"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.21" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="163"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.22" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="164"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.23" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="164"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.24" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="164"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.25" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="164"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.26" expl="assertion" proved="true">
-  <proof prover="4"><result status="valid" time="0.87" steps="96577"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.27" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="209"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.28" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="434"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.29" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="437"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.30" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="439"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.31" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.15" steps="1660"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.32" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="441"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.33" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="442"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.34" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="443"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.35" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="199"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.36" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="207"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.37" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="1037"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.38" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.70" steps="6087"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.39" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="resolve&#39;vc.39.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.39" steps="3108"/></proof>
-   </goal>
-   <goal name="resolve&#39;vc.39.1" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.26" steps="2047"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.40" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="234"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.41" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.96" steps="7363"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.42" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="275"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.43" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="312"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.44" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="338"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.45" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="resolve&#39;vc.45.0" expl="precondition" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="1.81" steps="16877"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.46" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="resolve&#39;vc.46.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.92" steps="9143"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.47" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="resolve&#39;vc.47.0" expl="assertion" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="0.29" steps="2425"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.48" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="930"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.49" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="1015"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.50" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="resolve&#39;vc.50.0" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="resolve&#39;vc.50.0.0" expl="loop invariant preservation" proved="true">
-    <transf name="inline_goal" proved="true" >
-     <goal name="resolve&#39;vc.50.0.0.0" expl="loop invariant preservation" proved="true">
-     <transf name="split_all_full" proved="true" >
-      <goal name="resolve&#39;vc.50.0.0.0.0" expl="loop invariant preservation" proved="true">
-      <transf name="inline_goal" proved="true" >
-       <goal name="resolve&#39;vc.50.0.0.0.0.0" expl="loop invariant preservation" proved="true">
-       <transf name="split_all_full" proved="true" >
-        <goal name="resolve&#39;vc.50.0.0.0.0.0.0" expl="VC for resolve" proved="true">
-        <transf name="inline_goal" proved="true" >
-         <goal name="resolve&#39;vc.50.0.0.0.0.0.0.0" expl="VC for resolve" proved="true">
-         <transf name="split_vc" proved="true" >
-          <goal name="resolve&#39;vc.50.0.0.0.0.0.0.0.0" expl="VC for resolve" proved="true">
-          <transf name="inline_goal" proved="true" >
-           <goal name="resolve&#39;vc.50.0.0.0.0.0.0.0.0.0" expl="VC for resolve" proved="true">
-           <proof prover="2" timelimit="30" memlimit="4000"><result status="valid" time="7.48" steps="89869"/></proof>
-           </goal>
-          </transf>
-          </goal>
-         </transf>
-         </goal>
-        </transf>
-        </goal>
-        <goal name="resolve&#39;vc.50.0.0.0.0.0.1" expl="VC for resolve" proved="true">
-        <transf name="split_vc" proved="true" >
-         <goal name="resolve&#39;vc.50.0.0.0.0.0.1.0" expl="VC for resolve" proved="true">
-         <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.68" steps="150045"/></proof>
-         </goal>
-        </transf>
-        </goal>
-       </transf>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.51" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="resolve&#39;vc.51.0" expl="loop invariant preservation" proved="true">
-   <proof prover="4"><result status="valid" time="1.14" steps="127365"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.52" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="397"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.53" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="resolve&#39;vc.53.0" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="resolve&#39;vc.53.0.0" expl="loop invariant preservation" proved="true">
-    <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="3.77" steps="514184"/></proof>
-    </goal>
-   </transf>
-   </goal>
-   <goal name="resolve&#39;vc.53.1" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="resolve&#39;vc.53.1.0" expl="loop invariant preservation" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="resolve&#39;vc.53.1.0.0" expl="loop invariant preservation" proved="true">
-     <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="0.83" steps="95607"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.54" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="1.08" steps="115595"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.55" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.19" steps="524527"/></proof>
-  <proof prover="4"><result status="valid" time="0.98" steps="115156"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.56" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="1.09" steps="120925"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.57" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.17" steps="1018"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.58" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="resolve&#39;vc.58.0" expl="loop invariant preservation" proved="true">
-   <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="2.23" steps="222425"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.59" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="1018"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.60" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="resolve&#39;vc.60.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="3.59" steps="33681"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.61" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="406"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.62" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="408"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.63" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="408"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.64" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="408"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.65" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.40" steps="3281"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.66" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="resolve&#39;vc.66.0" expl="assertion" proved="true">
-   <proof prover="3"><result status="valid" time="0.18" steps="494551"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.67" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.36" steps="2537"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.68" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.15" steps="989"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.69" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="1081"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.70" expl="loop invariant preservation" proved="true">
-  <transf name="inline_all" proved="true" >
-   <goal name="resolve&#39;vc.70.0" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="resolve&#39;vc.70.0.0" expl="loop invariant preservation" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="resolve&#39;vc.70.0.0.0" expl="loop invariant preservation" proved="true">
-     <proof prover="3" timelimit="5" memlimit="2000"><result status="valid" time="3.02" steps="4415120"/></proof>
-     </goal>
-    </transf>
-    </goal>
-    <goal name="resolve&#39;vc.70.0.1" expl="loop invariant preservation" proved="true">
-    <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.98" steps="213270"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.71" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="resolve&#39;vc.71.0" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="resolve&#39;vc.71.0.0" expl="loop invariant preservation" proved="true">
-    <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.07" steps="120766"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.72" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="403"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.73" expl="loop invariant preservation" proved="true">
-  <transf name="inline_all" proved="true" >
-   <goal name="resolve&#39;vc.73.0" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="resolve&#39;vc.73.0.0" expl="loop invariant preservation" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="resolve&#39;vc.73.0.0.0" expl="loop invariant preservation" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="resolve&#39;vc.73.0.0.0.0" expl="loop invariant preservation" proved="true">
-      <proof prover="3" timelimit="5" memlimit="2000"><result status="valid" time="3.11" steps="4383940"/></proof>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-    <goal name="resolve&#39;vc.73.0.1" expl="loop invariant preservation" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="resolve&#39;vc.73.0.1.0" expl="loop invariant preservation" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="resolve&#39;vc.73.0.1.0.0" expl="loop invariant preservation" proved="true">
-      <proof prover="3" timelimit="5" memlimit="2000"><result status="valid" time="3.02" steps="4348559"/></proof>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.74" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="resolve&#39;vc.74.0" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="resolve&#39;vc.74.0.0" expl="loop invariant preservation" proved="true">
-    <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.10" steps="117455"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.75" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.21" steps="525130"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.76" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.56" steps="4308"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.77" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="1080"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.78" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="resolve&#39;vc.78.0" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="resolve&#39;vc.78.0.0" expl="loop invariant preservation" proved="true">
-    <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="2.13" steps="223267"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.79" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.17" steps="1077"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.80" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="resolve&#39;vc.80.0" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="resolve&#39;vc.80.0.0" expl="loop invariant preservation" proved="true">
-    <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.49" steps="152788"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.81" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="413"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.82" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="413"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.83" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="413"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.84" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="414"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.85" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="resolve&#39;vc.85.0" expl="assertion" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="1.85" steps="17253"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.86" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="resolve&#39;vc.86.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.06" steps="229"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.87" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="239"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.88" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="535"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.89" expl="loop invariant preservation" proved="true">
-  <transf name="inline_all" proved="true" >
-   <goal name="resolve&#39;vc.89.0" expl="loop invariant preservation" proved="true">
-   <proof prover="3"><result status="valid" time="0.06" steps="62334"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.90" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="234"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.91" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="235"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.92" expl="loop invariant preservation" proved="true">
-  <transf name="inline_all" proved="true" >
-   <goal name="resolve&#39;vc.92.0" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="resolve&#39;vc.92.0.0" expl="loop invariant preservation" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="resolve&#39;vc.92.0.0.0" expl="loop invariant preservation" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="resolve&#39;vc.92.0.0.0.0" expl="loop invariant preservation" proved="true">
-      <proof prover="3" timelimit="5" memlimit="2000"><result status="valid" time="0.20" steps="638756"/></proof>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-    <goal name="resolve&#39;vc.92.0.1" expl="loop invariant preservation" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="resolve&#39;vc.92.0.1.0" expl="loop invariant preservation" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="resolve&#39;vc.92.0.1.0.0" expl="loop invariant preservation" proved="true">
-      <proof prover="3" timelimit="5" memlimit="2000"><result status="valid" time="0.20" steps="640075"/></proof>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve&#39;vc.93" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="598"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.94" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.57" steps="73380"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.95" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.57" steps="73599"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.96" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="235"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.97" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="235"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.98" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="235"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.99" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.39" steps="65266"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.100" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="235"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.101" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="235"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.102" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="235"/></proof>
-  </goal>
-  <goal name="resolve&#39;vc.103" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="235"/></proof>
-  </goal>
- </transf>
+ <proof prover="2"><result status="valid" time="0.01" steps="20"/></proof>
  </goal>
 </theory>
-<theory name="CreuSat_ConflictAnalysis_ChooseLiteral" proved="true">
- <goal name="choose_literal&#39;vc" expl="VC for choose_literal" proved="true">
- <proof prover="3"><result status="valid" time="0.83" steps="1385037"/></proof>
- <proof prover="4"><result status="valid" time="1.00" steps="137070"/></proof>
+<theory name="CreuSat_Formula_Impl0" proved="true">
+ <goal name="Index1.index&#39;refn&#39;vc" expl="VC for index&#39;refn" proved="true">
+ <proof prover="2"><result status="valid" time="0.01" steps="20"/></proof>
  </goal>
 </theory>
-<theory name="CreuSat_Formula_Impl0_Index" proved="true">
- <goal name="index&#39;vc" expl="VC for index" proved="true">
- <proof prover="2"><result status="valid" time="0.02" steps="96"/></proof>
+<theory name="CreuSat_Clause_Impl2" proved="true">
+ <goal name="Clone1.clone&#39;&#39;refn&#39;vc" expl="VC for clone&#39;&#39;refn" proved="true">
+ <proof prover="2"><result status="valid" time="0.01" steps="20"/></proof>
  </goal>
 </theory>
-<theory name="CreuSat_Util_Sort" proved="true">
- <goal name="sort&#39;vc" expl="VC for sort" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="sort&#39;vc.0" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="34"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.1" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="96"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.2" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="60"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.3" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="92"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.4" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="95"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.5" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="107"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.6" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="89"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.7" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="172"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.8" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.01" steps="78"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.9" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="112"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.10" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="72"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="211"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="259"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.13" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="233"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.14" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="135"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.15" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="435"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.16" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="254"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.17" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.26" steps="3110"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.18" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.45" steps="4196"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="98"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="117"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.21" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="445"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.22" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="326"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.23" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="265"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.24" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="136"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.25" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="447"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.26" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="487"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.27" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="267"/></proof>
-  </goal>
-  <goal name="sort&#39;vc.28" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="141"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Decision_Impl1_Rescore" proved="true">
- <goal name="rescore&#39;vc" expl="VC for rescore" proved="true">
- <proof prover="3"><result status="valid" time="0.35" steps="669094"/></proof>
- <proof prover="4"><result status="valid" time="0.71" steps="95503"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Decision_Impl1_MoveToFront" proved="true">
- <goal name="move_to_front&#39;vc" expl="VC for move_to_front" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="move_to_front&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.01" steps="61"/></proof>
-  </goal>
-  <goal name="move_to_front&#39;vc.1" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="335"/></proof>
-  </goal>
-  <goal name="move_to_front&#39;vc.2" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.2.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.04" steps="333"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.3" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.3.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.04" steps="327"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.4" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.4.0" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.28" steps="637847"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.5" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.5.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.10" steps="841"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.6" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.6.0" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.33" steps="725726"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.7" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.7.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.08" steps="786"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.8" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.8.0" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.34" steps="726264"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.9" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.9.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.09" steps="1009"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.10" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.10.0" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.39" steps="814496"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.11" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.11.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="1.03" steps="6806"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.12" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.12.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.03" steps="239"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.13" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.13.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.04" steps="337"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.14" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.14.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.04" steps="329"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.15" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.15.0" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.33" steps="677092"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.16" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.16.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.10" steps="867"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.17" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.17.0" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.38" steps="762195"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.18" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.18.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.08" steps="810"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.19" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.19.0" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.38" steps="763353"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.20" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.20.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.09" steps="1035"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.21" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="move_to_front&#39;vc.21.0" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.44" steps="854461"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="move_to_front&#39;vc.22" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="75"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Decision_Impl1_IncrementAndMove" proved="true">
- <goal name="increment_and_move&#39;vc" expl="VC for increment_and_move" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="increment_and_move&#39;vc.0" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="54"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.1" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="54"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.2" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="55"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.3" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="58"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.4" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="87"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.5" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="89"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.6" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="266"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.7" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="188"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="125"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="136"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="994"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="140"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.12" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="491"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.13" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="153"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.14" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="153"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.15" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="154"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="81"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.17" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="296"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.18" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="96"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="115"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.20" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="443"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.21" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="152"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.22" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="152"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.23" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="153"/></proof>
-  </goal>
-  <goal name="increment_and_move&#39;vc.24" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.15" steps="2076"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Formula_Impl0" proved="true">
- <goal name="Index1.index&#39;refn&#39;vc" expl="VC for index&#39;refn" proved="true">
- <proof prover="2"><result status="valid" time="0.01" steps="28"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Clause_Impl2" proved="true">
- <goal name="Clone1.clone&#39;&#39;refn&#39;vc" expl="VC for clone&#39;&#39;refn" proved="true">
- <proof prover="2"><result status="valid" time="0.01" steps="28"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_ConflictAnalysis_AnalyzeConflict" proved="true">
- <goal name="analyze_conflict&#39;vc" expl="VC for analyze_conflict" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="analyze_conflict&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="154"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.1" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="252"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.2" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="88"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.3" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="91"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.4" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="165"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.5" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="265"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.6" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="127"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.7" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="1057"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.8" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="742"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.9" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.37" steps="2602"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.10" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="255"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.11" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="254"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.12" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="140"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.13" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="142"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="179"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="184"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="185"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.17" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="186"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.18" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="461"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.19" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="248"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.20" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="1.09" steps="6255"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.21" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="585"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.22" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="284"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.23" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.81" steps="3441"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.24" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.43" steps="3040"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.25" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="314"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.26" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="314"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.27" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="1.18" steps="5853"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.28" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="683"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.29" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="234"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.30" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="235"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.31" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.58" steps="3911"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.32" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="459"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.33" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.29" steps="2326"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.34" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="427"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.35" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="182"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.36" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="184"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.37" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="380"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.38" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="201"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.39" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="201"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.40" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="205"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.41" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="205"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.42" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="206"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.43" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="250"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.44" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="250"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.45" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="250"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.46" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="250"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.47" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="250"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.48" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="250"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.49" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="250"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.50" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="250"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.51" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="250"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.52" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="250"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.53" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="250"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.54" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="1.19" steps="7113"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.55" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="663"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.56" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="239"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.57" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="239"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.58" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="222"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.59" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="222"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.60" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="576"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.61" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.64" steps="3314"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.62" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="655"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.63" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.63.0" expl="assertion" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="1.39" steps="5961"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.64" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="263"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.65" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="264"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.66" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.69" steps="3443"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.67" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.88" steps="4506"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.68" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.68.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.10" steps="884"/></proof>
-   </goal>
-   <goal name="analyze_conflict&#39;vc.68.1" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.23" steps="1674"/></proof>
-   </goal>
-   <goal name="analyze_conflict&#39;vc.68.2" expl="precondition" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="2.25" steps="9298"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.69" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="287"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.70" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.70.0" expl="precondition" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="2.17" steps="9166"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.71" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="1.16" steps="5270"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.72" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="963"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.73" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="813"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.74" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="813"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.75" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="301"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.76" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.76.0" expl="precondition" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="2.92" steps="16714"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.77" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="304"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.78" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="306"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.79" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="775"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.80" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.80.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.68" steps="3696"/></proof>
-   </goal>
-   <goal name="analyze_conflict&#39;vc.80.1" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.52" steps="2891"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.81" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="775"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.82" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="781"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.83" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="780"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.84" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="1012"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.85" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="849"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.86" expl="loop invariant preservation" proved="true">
-  <transf name="inline_goal" proved="true" >
-   <goal name="analyze_conflict&#39;vc.86.0" expl="loop invariant preservation" proved="true">
-   <transf name="split_all_full" proved="true" >
-    <goal name="analyze_conflict&#39;vc.86.0.0" expl="loop invariant preservation" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="analyze_conflict&#39;vc.86.0.0.0" expl="loop invariant preservation" proved="true">
-     <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="0.40" steps="1851"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.87" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.73" steps="3314"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.88" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="658"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.89" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.89.0" expl="assertion" proved="true">
-   <proof prover="3" timelimit="5" memlimit="2000"><result status="valid" time="1.79" steps="2378798"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.90" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="261"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.91" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="263"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.92" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.71" steps="3490"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.93" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.73" steps="3663"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.94" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.94.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.15" steps="883"/></proof>
-   </goal>
-   <goal name="analyze_conflict&#39;vc.94.1" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.34" steps="1672"/></proof>
-   </goal>
-   <goal name="analyze_conflict&#39;vc.94.2" expl="precondition" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="3.30" steps="14961"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.95" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="285"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.96" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.24" steps="590638"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.97" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="1.10" steps="5273"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.98" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="962"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.99" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="812"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.100" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="812"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.101" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="300"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.102" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.102.0" expl="precondition" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="2.78" steps="16871"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.103" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="303"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.104" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="304"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.105" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="774"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.106" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.106.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.73" steps="3697"/></proof>
-   </goal>
-   <goal name="analyze_conflict&#39;vc.106.1" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.56" steps="2905"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.107" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="774"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.108" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="780"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.109" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="779"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.110" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="1012"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.111" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="847"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.112" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="843"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.113" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="208"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.114" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="212"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.115" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="212"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.116" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="213"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.117" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.118" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.119" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.120" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.121" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.122" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.123" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.124" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.125" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.126" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.127" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.128" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.96" steps="5766"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.129" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="695"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.130" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="244"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.131" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="244"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.132" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="229"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.133" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="229"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.134" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="129"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.135" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.17" steps="1704"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.136" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="166"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.137" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="196"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.138" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.52" steps="4311"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.139" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="1497"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.140" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="1.86" steps="11418"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.141" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="240"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.142" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="242"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.143" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="243"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.144" expl="loop invariant preservation" proved="true">
-  <transf name="inline_all" proved="true" >
-   <goal name="analyze_conflict&#39;vc.144.0" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="analyze_conflict&#39;vc.144.0.0" expl="loop invariant preservation" proved="true">
-    <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.41" steps="167582"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.145" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.24" steps="1731"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.146" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.18" steps="1108"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.147" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.147.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.28" steps="1682"/></proof>
-   </goal>
-   <goal name="analyze_conflict&#39;vc.147.1" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.61" steps="3572"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.148" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="243"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.149" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="245"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.150" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="246"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.151" expl="loop invariant preservation" proved="true">
-  <transf name="inline_goal" proved="true" >
-   <goal name="analyze_conflict&#39;vc.151.0" expl="loop invariant preservation" proved="true">
-   <transf name="split_all_full" proved="true" >
-    <goal name="analyze_conflict&#39;vc.151.0.0" expl="loop invariant preservation" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="analyze_conflict&#39;vc.151.0.0.0" expl="loop invariant preservation" proved="true">
-     <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="2.28" steps="19978"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.152" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="138"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.153" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="223"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.154" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="84"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.155" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="87"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.156" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="148"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.157" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="242"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.158" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="123"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.159" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="949"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.160" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="676"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.161" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.31" steps="2232"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.162" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="233"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.163" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="232"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.164" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="135"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.165" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="138"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.166" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="176"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.167" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="179"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.168" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="180"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.169" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="181"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.170" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="445"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.171" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="249"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.172" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.67" steps="4300"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.173" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="566"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.174" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="286"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.175" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.49" steps="2802"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.176" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.30" steps="2151"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.177" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="324"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.178" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="325"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.179" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.86" steps="5304"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.180" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="666"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.181" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="235"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.182" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="235"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.183" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.42" steps="2792"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.184" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="442"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.185" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.27" steps="2133"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.186" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="394"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.187" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="178"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.188" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="180"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.189" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="350"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.190" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="197"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.191" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="196"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.192" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="200"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.193" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="201"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.194" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="203"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.195" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="250"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.196" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="249"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.197" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="250"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.198" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="250"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.199" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="249"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.200" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="250"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.201" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="250"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.202" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="250"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.203" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="250"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.204" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="249"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.205" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="250"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.206" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="1.06" steps="5744"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.207" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="631"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.208" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.72" steps="6100"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.209" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="605"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.210" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="216"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.211" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="216"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.212" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="523"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.213" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.64" steps="3070"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.214" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="611"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.215" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.215.0" expl="assertion" proved="true">
-   <proof prover="3" timelimit="5" memlimit="2000"><result status="valid" time="2.66" steps="2963736"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.216" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="258"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.217" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="259"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.218" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.56" steps="3225"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.219" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.71" steps="4286"/></proof>
-  <proof prover="4"><result status="valid" time="0.89" steps="101183"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.220" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.220.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.09" steps="833"/></proof>
-   </goal>
-   <goal name="analyze_conflict&#39;vc.220.1" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.20" steps="1550"/></proof>
-   </goal>
-   <goal name="analyze_conflict&#39;vc.220.2" expl="precondition" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="1.72" steps="8766"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.221" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="283"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.222" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.222.0" expl="precondition" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="1.74" steps="8635"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.223" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.93" steps="5031"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.224" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="907"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.225" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="762"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.226" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="763"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.227" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="296"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.228" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.228.0" expl="precondition" proved="true">
-   <proof prover="3" timelimit="5" memlimit="2000"><result status="valid" time="2.16" steps="2475748"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.229" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="299"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.230" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="300"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.231" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="726"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.232" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.232.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.57" steps="3475"/></proof>
-   </goal>
-   <goal name="analyze_conflict&#39;vc.232.1" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.44" steps="2668"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.233" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="726"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.234" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="732"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.235" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="732"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.236" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="962"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.237" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="796"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.238" expl="loop invariant preservation" proved="true">
-  <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="0.17" steps="792"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.239" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.58" steps="3070"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.240" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="609"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.241" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.241.0" expl="assertion" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="3.00" steps="18045"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.242" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.243" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="258"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.244" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.52" steps="3311"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.245" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.52" steps="3576"/></proof>
-  <proof prover="4"><result status="valid" time="0.80" steps="101215"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.246" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.246.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.11" steps="830"/></proof>
-   </goal>
-   <goal name="analyze_conflict&#39;vc.246.1" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.25" steps="1549"/></proof>
-   </goal>
-   <goal name="analyze_conflict&#39;vc.246.2" expl="precondition" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="2.60" steps="15153"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.247" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="282"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.248" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.23" steps="589410"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.249" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.99" steps="5063"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.250" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="906"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.251" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="760"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.252" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="761"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.253" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="295"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.254" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.254.0" expl="precondition" proved="true">
-   <proof prover="3" timelimit="5" memlimit="2000"><result status="valid" time="2.03" steps="2426092"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.255" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="299"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.256" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="300"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.257" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="725"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.258" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.258.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.73" steps="3480"/></proof>
-   </goal>
-   <goal name="analyze_conflict&#39;vc.258.1" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.43" steps="2664"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.259" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="725"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.260" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="731"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.261" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="730"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.262" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="955"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.263" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="795"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.264" expl="loop invariant preservation" proved="true">
-  <transf name="inline_goal" proved="true" >
-   <goal name="analyze_conflict&#39;vc.264.0" expl="loop invariant preservation" proved="true">
-   <transf name="split_all_full" proved="true" >
-    <goal name="analyze_conflict&#39;vc.264.0.0" expl="loop invariant preservation" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="analyze_conflict&#39;vc.264.0.0.0" expl="loop invariant preservation" proved="true">
-     <proof prover="2" timelimit="30" memlimit="4000"><result status="valid" time="0.28" steps="1712"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.265" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="204"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.266" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="207"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.267" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="208"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.268" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="209"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.269" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="258"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.270" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="258"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.271" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.272" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.273" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.274" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.275" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.276" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.277" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="258"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.278" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.279" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="257"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.280" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.79" steps="4568"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.281" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="663"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.282" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.98" steps="9747"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.283" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="640"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.284" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="223"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.285" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="224"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.286" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="126"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.287" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.19" steps="1583"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.288" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="162"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.289" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="191"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.290" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.53" steps="4084"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.291" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="458"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.292" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="analyze_conflict&#39;vc.292.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.09" steps="497"/></proof>
-   </goal>
-   <goal name="analyze_conflict&#39;vc.292.1" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.09" steps="514"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.293" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="237"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.294" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="238"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.295" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="238"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.296" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="486"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.297" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.15" steps="1050"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.298" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.15" steps="987"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.299" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.62" steps="4163"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.300" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="239"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.301" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="241"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.302" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="242"/></proof>
-  </goal>
-  <goal name="analyze_conflict&#39;vc.303" expl="loop invariant preservation" proved="true">
-  <transf name="inline_goal" proved="true" >
-   <goal name="analyze_conflict&#39;vc.303.0" expl="loop invariant preservation" proved="true">
-   <transf name="split_all_full" proved="true" >
-    <goal name="analyze_conflict&#39;vc.303.0.0" expl="loop invariant preservation" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="analyze_conflict&#39;vc.303.0.0.0" expl="loop invariant preservation" proved="true">
-     <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="1.90" steps="16652"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_ConflictAnalysis_ResolveEmptyClause" proved="true">
- <goal name="resolve_empty_clause&#39;vc" expl="VC for resolve_empty_clause" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="resolve_empty_clause&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="100"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.1" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="179"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.2" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="66"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.3" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="118"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.4" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="1.43" steps="13107"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="113"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="199"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="212"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.9" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="120"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="349"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.22" steps="2056"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="459"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="188"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="189"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.31" steps="2211"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.38" steps="2663"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.17" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.86" steps="7032"/></proof>
-  <proof prover="4"><result status="valid" time="0.74" steps="89318"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.18" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="1.20" steps="8780"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.83" steps="6392"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.42" steps="4258"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="668"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.22" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="553"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.23" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="823"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.24" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="resolve_empty_clause&#39;vc.24.0" expl="precondition" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="resolve_empty_clause&#39;vc.24.0.0" expl="precondition" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="resolve_empty_clause&#39;vc.24.0.0.0" expl="precondition" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="resolve_empty_clause&#39;vc.24.0.0.0.0" expl="precondition" proved="true">
-      <transf name="inline_goal" proved="true" >
-       <goal name="resolve_empty_clause&#39;vc.24.0.0.0.0.0" expl="precondition" proved="true">
-       <proof prover="2" timelimit="30" memlimit="4000"><result status="valid" time="10.32" steps="81971"/></proof>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="218"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.26" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="567"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.27" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.30" steps="2142"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.28" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="224"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.29" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.19" steps="1218"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.30" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="128"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.31" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="99"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.32" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="1344"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.33" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="564"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.34" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.24" steps="2597"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.35" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="130"/></proof>
-  </goal>
-  <goal name="resolve_empty_clause&#39;vc.36" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="132"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Decision_Impl0_Default" proved="true">
- <goal name="default&#39;vc" expl="VC for default" proved="true">
- <proof prover="2"><result status="valid" time="0.02" steps="124"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Decision_Impl0" proved="true">
- <goal name="Default1.default&#39;refn&#39;vc" expl="VC for default&#39;refn" proved="true">
- <proof prover="2"><result status="valid" time="0.01" steps="28"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Decision_Impl1_MakeLinkedList" proved="true">
- <goal name="make_linked_list&#39;vc" expl="VC for make_linked_list" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="make_linked_list&#39;vc.0" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="67"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.1" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="70"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.2" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="193"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.3" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="191"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.4" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.77" steps="5778"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="96"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.6" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="232"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.7" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="437"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="156"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="337"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.10" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="664"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="202"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="445"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="511"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.14" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="637"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.15" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="563"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.16" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="286"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.17" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="289"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.18" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="make_linked_list&#39;vc.18.0" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="make_linked_list&#39;vc.18.0.0" expl="loop invariant preservation" proved="true">
-    <proof prover="2"><result status="valid" time="0.50" steps="3463"/></proof>
-    </goal>
-   </transf>
-   </goal>
-   <goal name="make_linked_list&#39;vc.18.1" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="make_linked_list&#39;vc.18.1.0" expl="loop invariant preservation" proved="true">
-    <proof prover="2"><result status="valid" time="1.01" steps="6229"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="make_linked_list&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="278"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.20" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="330"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="183"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.22" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="376"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.23" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="440"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.24" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="521"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.25" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="494"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.26" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="267"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.27" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="269"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.28" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="make_linked_list&#39;vc.28.0" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="make_linked_list&#39;vc.28.0.0" expl="loop invariant preservation" proved="true">
-    <proof prover="2"><result status="valid" time="0.58" steps="4141"/></proof>
-    </goal>
-   </transf>
-   </goal>
-   <goal name="make_linked_list&#39;vc.28.1" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="make_linked_list&#39;vc.28.1.0" expl="loop invariant preservation" proved="true">
-    <proof prover="3"><result status="valid" time="0.54" steps="901445"/></proof>
-    <proof prover="4"><result status="valid" time="0.66" steps="73828"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="make_linked_list&#39;vc.29" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="255"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.30" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="298"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.31" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="349"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.32" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="422"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.33" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="394"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.34" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="241"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.35" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="423"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.36" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="make_linked_list&#39;vc.36.0" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="make_linked_list&#39;vc.36.0.0" expl="loop invariant preservation" proved="true">
-    <proof prover="2"><result status="valid" time="0.06" steps="676"/></proof>
-    </goal>
-   </transf>
-   </goal>
-   <goal name="make_linked_list&#39;vc.36.1" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="make_linked_list&#39;vc.36.1.0" expl="loop invariant preservation" proved="true">
-    <proof prover="2"><result status="valid" time="0.10" steps="699"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="make_linked_list&#39;vc.37" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="138"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.38" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="268"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.39" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="317"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.40" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="380"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.41" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="458"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.42" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="427"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.43" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="246"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.44" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="461"/></proof>
-  </goal>
-  <goal name="make_linked_list&#39;vc.45" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="make_linked_list&#39;vc.45.0" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="make_linked_list&#39;vc.45.0.0" expl="loop invariant preservation" proved="true">
-    <proof prover="2"><result status="valid" time="0.23" steps="2172"/></proof>
-    </goal>
-   </transf>
-   </goal>
-   <goal name="make_linked_list&#39;vc.45.1" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="make_linked_list&#39;vc.45.1.0" expl="loop invariant preservation" proved="true">
-    <proof prover="2"><result status="valid" time="1.36" steps="10197"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Util_SortReverse" proved="true">
- <goal name="sort_reverse&#39;vc" expl="VC for sort_reverse" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="sort_reverse&#39;vc.0" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="34"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.1" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="96"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.2" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="60"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.3" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="92"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.4" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="95"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.5" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="107"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.6" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="89"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.7" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="172"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.8" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="78"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.9" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="112"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.10" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="72"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="211"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="259"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.13" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="233"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.14" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="135"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.15" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="437"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.16" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="254"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.17" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.42" steps="3171"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.18" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.44" steps="3878"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="98"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="117"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.21" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="445"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.22" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="326"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.23" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="265"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.24" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="136"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.25" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="447"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.26" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="487"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.27" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="267"/></proof>
-  </goal>
-  <goal name="sort_reverse&#39;vc.28" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="141"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Decision_Impl1_New" proved="true">
- <goal name="new&#39;vc" expl="VC for new" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="new&#39;vc.0" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="115"/></proof>
-  </goal>
-  <goal name="new&#39;vc.1" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="79"/></proof>
-  </goal>
-  <goal name="new&#39;vc.2" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="111"/></proof>
-  </goal>
-  <goal name="new&#39;vc.3" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="113"/></proof>
-  </goal>
-  <goal name="new&#39;vc.4" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="201"/></proof>
-  </goal>
-  <goal name="new&#39;vc.5" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="944"/></proof>
-  </goal>
-  <goal name="new&#39;vc.6" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="158"/></proof>
-  </goal>
-  <goal name="new&#39;vc.7" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="159"/></proof>
-  </goal>
-  <goal name="new&#39;vc.8" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="254"/></proof>
-  </goal>
-  <goal name="new&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="195"/></proof>
-  </goal>
-  <goal name="new&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="199"/></proof>
-  </goal>
-  <goal name="new&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="336"/></proof>
-  </goal>
-  <goal name="new&#39;vc.12" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="212"/></proof>
-  </goal>
-  <goal name="new&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="554"/></proof>
-  </goal>
-  <goal name="new&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="207"/></proof>
-  </goal>
-  <goal name="new&#39;vc.15" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="401"/></proof>
-  </goal>
-  <goal name="new&#39;vc.16" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="236"/></proof>
-  </goal>
-  <goal name="new&#39;vc.17" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="239"/></proof>
-  </goal>
-  <goal name="new&#39;vc.18" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.18" steps="2492"/></proof>
-  </goal>
-  <goal name="new&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="144"/></proof>
-  </goal>
-  <goal name="new&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="159"/></proof>
-  </goal>
-  <goal name="new&#39;vc.21" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="492"/></proof>
-  </goal>
-  <goal name="new&#39;vc.22" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="189"/></proof>
-  </goal>
-  <goal name="new&#39;vc.23" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="191"/></proof>
-  </goal>
-  <goal name="new&#39;vc.24" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="878"/></proof>
-  </goal>
-  <goal name="new&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="196"/></proof>
-  </goal>
-  <goal name="new&#39;vc.26" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="117"/></proof>
-  </goal>
-  <goal name="new&#39;vc.27" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="203"/></proof>
-  </goal>
-  <goal name="new&#39;vc.28" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="124"/></proof>
-  </goal>
-  <goal name="new&#39;vc.29" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="492"/></proof>
-  </goal>
-  <goal name="new&#39;vc.30" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="152"/></proof>
-  </goal>
-  <goal name="new&#39;vc.31" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="152"/></proof>
-  </goal>
-  <goal name="new&#39;vc.32" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="148"/></proof>
-  </goal>
-  <goal name="new&#39;vc.33" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="1222"/></proof>
-  </goal>
-  <goal name="new&#39;vc.34" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="300"/></proof>
-  </goal>
-  <goal name="new&#39;vc.35" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="1013"/></proof>
-  </goal>
-  <goal name="new&#39;vc.36" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="174"/></proof>
-  </goal>
-  <goal name="new&#39;vc.37" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="174"/></proof>
-  </goal>
-  <goal name="new&#39;vc.38" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="175"/></proof>
-  </goal>
-  <goal name="new&#39;vc.39" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="178"/></proof>
-  </goal>
-  <goal name="new&#39;vc.40" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="1530"/></proof>
-  </goal>
-  <goal name="new&#39;vc.41" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="472"/></proof>
-  </goal>
-  <goal name="new&#39;vc.42" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="1113"/></proof>
-  </goal>
-  <goal name="new&#39;vc.43" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="232"/></proof>
-  </goal>
-  <goal name="new&#39;vc.44" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="232"/></proof>
-  </goal>
-  <goal name="new&#39;vc.45" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="234"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Decision_Impl1_GetNext" proved="true">
- <goal name="get_next&#39;vc" expl="VC for get_next" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="get_next&#39;vc.0" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="122"/></proof>
-  </goal>
-  <goal name="get_next&#39;vc.1" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="56"/></proof>
-  </goal>
-  <goal name="get_next&#39;vc.2" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="108"/></proof>
-  </goal>
-  <goal name="get_next&#39;vc.3" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="806"/></proof>
-  </goal>
-  <goal name="get_next&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="70"/></proof>
-  </goal>
-  <goal name="get_next&#39;vc.5" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="287"/></proof>
-  </goal>
-  <goal name="get_next&#39;vc.6" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="187"/></proof>
-  </goal>
-  <goal name="get_next&#39;vc.7" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="get_next&#39;vc.7.0" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.56" steps="814404"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="get_next&#39;vc.8" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="848"/></proof>
-  </goal>
-  <goal name="get_next&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="63"/></proof>
-  </goal>
-  <goal name="get_next&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="226"/></proof>
-  </goal>
-  <goal name="get_next&#39;vc.11" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="514"/></proof>
-  </goal>
-  <goal name="get_next&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="226"/></proof>
-  </goal>
-  <goal name="get_next&#39;vc.13" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="get_next&#39;vc.13.0" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.28" steps="542743"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="get_next&#39;vc.14" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="912"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Formula_Impl1_IndexMut" proved="true">
- <goal name="index_mut&#39;vc" expl="VC for index_mut" proved="true">
- <proof prover="2"><result status="valid" time="0.08" steps="658"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Formula_Impl2_CheckFormulaInvariant" proved="true">
- <goal name="check_formula_invariant&#39;vc" expl="VC for check_formula_invariant" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="check_formula_invariant&#39;vc.0" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="36"/></proof>
-  </goal>
-  <goal name="check_formula_invariant&#39;vc.1" expl="division by zero" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="37"/></proof>
-  </goal>
-  <goal name="check_formula_invariant&#39;vc.2" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="59"/></proof>
-  </goal>
-  <goal name="check_formula_invariant&#39;vc.3" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="65"/></proof>
-  </goal>
-  <goal name="check_formula_invariant&#39;vc.4" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="65"/></proof>
-  </goal>
-  <goal name="check_formula_invariant&#39;vc.5" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.33" steps="4630"/></proof>
-  </goal>
-  <goal name="check_formula_invariant&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="80"/></proof>
-  </goal>
-  <goal name="check_formula_invariant&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="103"/></proof>
-  </goal>
-  <goal name="check_formula_invariant&#39;vc.8" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="507"/></proof>
-  </goal>
-  <goal name="check_formula_invariant&#39;vc.9" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="315"/></proof>
-  </goal>
-  <goal name="check_formula_invariant&#39;vc.10" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="317"/></proof>
-  </goal>
-  <goal name="check_formula_invariant&#39;vc.11" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.63" steps="6216"/></proof>
-  </goal>
-  <goal name="check_formula_invariant&#39;vc.12" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="675"/></proof>
-  </goal>
-  <goal name="check_formula_invariant&#39;vc.13" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="383"/></proof>
-  </goal>
-  <goal name="check_formula_invariant&#39;vc.14" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="523"/></proof>
-  </goal>
-  <goal name="check_formula_invariant&#39;vc.15" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="324"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Lit_Impl1_LitSat" proved="true">
- <goal name="lit_sat&#39;vc" expl="VC for lit_sat" proved="true">
- <proof prover="2"><result status="valid" time="0.05" steps="459"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Formula_Impl2_IsClauseSat" proved="true">
- <goal name="is_clause_sat&#39;vc" expl="VC for is_clause_sat" proved="true">
- <proof prover="2"><result status="valid" time="0.14" steps="1256"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Lit_Impl1_ToNegWatchidx" proved="true">
- <goal name="to_neg_watchidx&#39;vc" expl="VC for to_neg_watchidx" proved="true">
- <proof prover="2"><result status="valid" time="0.04" steps="518"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Watches_Impl0_AddWatcher" proved="true">
- <goal name="add_watcher&#39;vc" expl="VC for add_watcher" proved="true">
- <proof prover="4"><result status="valid" time="0.68" steps="98626"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Formula_Impl2_AddClause" proved="true">
- <goal name="add_clause&#39;vc" expl="VC for add_clause" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="add_clause&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="54"/></proof>
-  </goal>
-  <goal name="add_clause&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="60"/></proof>
-  </goal>
-  <goal name="add_clause&#39;vc.2" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_clause&#39;vc.2.0" expl="precondition" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="add_clause&#39;vc.2.0.0" expl="precondition" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="add_clause&#39;vc.2.0.0.0" expl="precondition" proved="true">
-     <transf name="inline_goal" proved="true" >
-      <goal name="add_clause&#39;vc.2.0.0.0.0" expl="precondition" proved="true">
-      <transf name="split_all_full" proved="true" >
-       <goal name="add_clause&#39;vc.2.0.0.0.0.0" expl="VC for add_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.07" steps="289"/></proof>
-       </goal>
-       <goal name="add_clause&#39;vc.2.0.0.0.0.1" expl="VC for add_clause" proved="true">
-       <proof prover="4"><result status="valid" time="0.79" steps="90010"/></proof>
-       </goal>
-       <goal name="add_clause&#39;vc.2.0.0.0.0.2" expl="VC for add_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.19" steps="1367"/></proof>
-       </goal>
-       <goal name="add_clause&#39;vc.2.0.0.0.0.3" expl="VC for add_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.16" steps="1081"/></proof>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_clause&#39;vc.3" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_clause&#39;vc.3.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.06" steps="144"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_clause&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="932"/></proof>
-  </goal>
-  <goal name="add_clause&#39;vc.5" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_clause&#39;vc.5.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.13" steps="1014"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_clause&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.67" steps="4334"/></proof>
-  </goal>
-  <goal name="add_clause&#39;vc.7" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_clause&#39;vc.7.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.06" steps="172"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_clause&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="102"/></proof>
-  </goal>
-  <goal name="add_clause&#39;vc.9" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_clause&#39;vc.9.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.07" steps="161"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_clause&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="994"/></proof>
-  </goal>
-  <goal name="add_clause&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.15" steps="1178"/></proof>
-  </goal>
-  <goal name="add_clause&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.58" steps="4337"/></proof>
-  </goal>
-  <goal name="add_clause&#39;vc.13" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_clause&#39;vc.13.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.05" steps="200"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_clause&#39;vc.14" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="108"/></proof>
-  </goal>
-  <goal name="add_clause&#39;vc.15" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_clause&#39;vc.15.0" expl="assertion" proved="true">
-   <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="5.30" steps="958840"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_clause&#39;vc.16" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_clause&#39;vc.16.0" expl="assertion" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="add_clause&#39;vc.16.0.0" expl="assertion" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="add_clause&#39;vc.16.0.0.0" expl="VC for add_clause" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="add_clause&#39;vc.16.0.0.0.0" expl="VC for add_clause" proved="true">
-      <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="1.53" steps="10371"/></proof>
-      </goal>
-     </transf>
-     </goal>
-     <goal name="add_clause&#39;vc.16.0.0.1" expl="VC for add_clause" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="add_clause&#39;vc.16.0.0.1.0" expl="VC for add_clause" proved="true">
-      <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="1.55" steps="8905"/></proof>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_clause&#39;vc.17" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_clause&#39;vc.17.0" expl="assertion" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="5.30" steps="39406"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_clause&#39;vc.18" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_clause&#39;vc.18.0" expl="postcondition" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="1.25" steps="8878"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_clause&#39;vc.19" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_clause&#39;vc.19.0" expl="postcondition" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="add_clause&#39;vc.19.0.0" expl="postcondition" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="add_clause&#39;vc.19.0.0.0" expl="VC for add_clause" proved="true">
-     <transf name="inline_goal" proved="true" >
-      <goal name="add_clause&#39;vc.19.0.0.0.0" expl="VC for add_clause" proved="true">
-      <transf name="split_all_full" proved="true" >
-       <goal name="add_clause&#39;vc.19.0.0.0.0.0" expl="VC for add_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.14" steps="895"/></proof>
-       </goal>
-       <goal name="add_clause&#39;vc.19.0.0.0.0.1" expl="VC for add_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.08" steps="175"/></proof>
-       </goal>
-       <goal name="add_clause&#39;vc.19.0.0.0.0.2" expl="VC for add_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.15" steps="875"/></proof>
-       </goal>
-       <goal name="add_clause&#39;vc.19.0.0.0.0.3" expl="VC for add_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.65" steps="3581"/></proof>
-       </goal>
-       <goal name="add_clause&#39;vc.19.0.0.0.0.4" expl="VC for add_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.10" steps="437"/></proof>
-       </goal>
-       <goal name="add_clause&#39;vc.19.0.0.0.0.5" expl="VC for add_clause" proved="true">
-       <proof prover="2"><result status="valid" time="1.21" steps="8650"/></proof>
-       </goal>
-       <goal name="add_clause&#39;vc.19.0.0.0.0.6" expl="VC for add_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.10" steps="442"/></proof>
-       </goal>
-       <goal name="add_clause&#39;vc.19.0.0.0.0.7" expl="VC for add_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.11" steps="443"/></proof>
-       </goal>
-       <goal name="add_clause&#39;vc.19.0.0.0.0.8" expl="VC for add_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.98" steps="7151"/></proof>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-     <goal name="add_clause&#39;vc.19.0.0.1" expl="VC for add_clause" proved="true">
-     <proof prover="2"><result status="valid" time="0.12" steps="461"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_clause&#39;vc.20" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="161"/></proof>
-  </goal>
-  <goal name="add_clause&#39;vc.21" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="451"/></proof>
-  </goal>
-  <goal name="add_clause&#39;vc.22" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="169"/></proof>
-  </goal>
-  <goal name="add_clause&#39;vc.23" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="127"/></proof>
-  </goal>
-  <goal name="add_clause&#39;vc.24" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_clause&#39;vc.24.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.07" steps="192"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_clause&#39;vc.25" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_clause&#39;vc.25.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.07" steps="200"/></proof>
-   </goal>
-  </transf>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Formula_Impl2_AddUnwatchedClause" proved="true">
- <goal name="add_unwatched_clause&#39;vc" expl="VC for add_unwatched_clause" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="add_unwatched_clause&#39;vc.0" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_unwatched_clause&#39;vc.0.0" expl="assertion" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="add_unwatched_clause&#39;vc.0.0.0" expl="assertion" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="add_unwatched_clause&#39;vc.0.0.0.0" expl="assertion" proved="true">
-     <transf name="inline_goal" proved="true" >
-      <goal name="add_unwatched_clause&#39;vc.0.0.0.0.0" expl="assertion" proved="true">
-      <transf name="split_all_full" proved="true" >
-       <goal name="add_unwatched_clause&#39;vc.0.0.0.0.0.0" expl="VC for add_unwatched_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.14" steps="947"/></proof>
-       </goal>
-       <goal name="add_unwatched_clause&#39;vc.0.0.0.0.0.1" expl="VC for add_unwatched_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.29" steps="2005"/></proof>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_unwatched_clause&#39;vc.1" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_unwatched_clause&#39;vc.1.0" expl="assertion" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="2.21" steps="15673"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_unwatched_clause&#39;vc.2" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_unwatched_clause&#39;vc.2.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="1.43" steps="8674"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_unwatched_clause&#39;vc.3" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_unwatched_clause&#39;vc.3.0" expl="postcondition" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="add_unwatched_clause&#39;vc.3.0.0" expl="postcondition" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="add_unwatched_clause&#39;vc.3.0.0.0" expl="VC for add_unwatched_clause" proved="true">
-     <transf name="inline_goal" proved="true" >
-      <goal name="add_unwatched_clause&#39;vc.3.0.0.0.0" expl="VC for add_unwatched_clause" proved="true">
-      <transf name="split_all_full" proved="true" >
-       <goal name="add_unwatched_clause&#39;vc.3.0.0.0.0.0" expl="VC for add_unwatched_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.14" steps="593"/></proof>
-       </goal>
-       <goal name="add_unwatched_clause&#39;vc.3.0.0.0.0.1" expl="VC for add_unwatched_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.08" steps="124"/></proof>
-       </goal>
-       <goal name="add_unwatched_clause&#39;vc.3.0.0.0.0.2" expl="VC for add_unwatched_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.13" steps="610"/></proof>
-       </goal>
-       <goal name="add_unwatched_clause&#39;vc.3.0.0.0.0.3" expl="VC for add_unwatched_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.48" steps="2710"/></proof>
-       </goal>
-       <goal name="add_unwatched_clause&#39;vc.3.0.0.0.0.4" expl="VC for add_unwatched_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.11" steps="296"/></proof>
-       </goal>
-       <goal name="add_unwatched_clause&#39;vc.3.0.0.0.0.5" expl="VC for add_unwatched_clause" proved="true">
-       <transf name="split_vc" proved="true" >
-        <goal name="add_unwatched_clause&#39;vc.3.0.0.0.0.5.0" expl="VC for add_unwatched_clause" proved="true">
-        <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="1.29" steps="9445"/></proof>
-        </goal>
-       </transf>
-       </goal>
-       <goal name="add_unwatched_clause&#39;vc.3.0.0.0.0.6" expl="VC for add_unwatched_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.10" steps="304"/></proof>
-       </goal>
-       <goal name="add_unwatched_clause&#39;vc.3.0.0.0.0.7" expl="VC for add_unwatched_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.10" steps="306"/></proof>
-       </goal>
-       <goal name="add_unwatched_clause&#39;vc.3.0.0.0.0.8" expl="VC for add_unwatched_clause" proved="true">
-       <proof prover="2"><result status="valid" time="0.79" steps="5885"/></proof>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-     <goal name="add_unwatched_clause&#39;vc.3.0.0.1" expl="VC for add_unwatched_clause" proved="true">
-     <proof prover="2"><result status="valid" time="0.08" steps="307"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_unwatched_clause&#39;vc.4" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.86" steps="101948"/></proof>
-  </goal>
-  <goal name="add_unwatched_clause&#39;vc.5" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="300"/></proof>
-  </goal>
-  <goal name="add_unwatched_clause&#39;vc.6" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_unwatched_clause&#39;vc.6.0" expl="postcondition" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="3.65" steps="30537"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_unwatched_clause&#39;vc.7" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="80"/></proof>
-  </goal>
-  <goal name="add_unwatched_clause&#39;vc.8" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_unwatched_clause&#39;vc.8.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.05" steps="141"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_unwatched_clause&#39;vc.9" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_unwatched_clause&#39;vc.9.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.05" steps="149"/></proof>
-   </goal>
-  </transf>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Formula_Impl2_AddUnit" proved="true">
- <goal name="add_unit&#39;vc" expl="VC for add_unit" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="add_unit&#39;vc.0" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_unit&#39;vc.0.0" expl="assertion" proved="true">
-   <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="4.71" steps="780696"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_unit&#39;vc.1" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_unit&#39;vc.1.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.91" steps="7046"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_unit&#39;vc.2" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_unit&#39;vc.2.0" expl="postcondition" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="add_unit&#39;vc.2.0.0" expl="postcondition" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="add_unit&#39;vc.2.0.0.0" expl="VC for add_unit" proved="true">
-     <transf name="inline_goal" proved="true" >
-      <goal name="add_unit&#39;vc.2.0.0.0.0" expl="VC for add_unit" proved="true">
-      <transf name="split_all_full" proved="true" >
-       <goal name="add_unit&#39;vc.2.0.0.0.0.0" expl="VC for add_unit" proved="true">
-       <proof prover="2"><result status="valid" time="0.09" steps="549"/></proof>
-       </goal>
-       <goal name="add_unit&#39;vc.2.0.0.0.0.1" expl="VC for add_unit" proved="true">
-       <transf name="split_vc" proved="true" >
-        <goal name="add_unit&#39;vc.2.0.0.0.0.1.0" expl="VC for add_unit" proved="true">
-        <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="2.20" steps="15554"/></proof>
-        </goal>
-       </transf>
-       </goal>
-       <goal name="add_unit&#39;vc.2.0.0.0.0.2" expl="VC for add_unit" proved="true">
-       <proof prover="2"><result status="valid" time="0.09" steps="568"/></proof>
-       </goal>
-       <goal name="add_unit&#39;vc.2.0.0.0.0.3" expl="VC for add_unit" proved="true">
-       <proof prover="2"><result status="valid" time="0.24" steps="1752"/></proof>
-       </goal>
-       <goal name="add_unit&#39;vc.2.0.0.0.0.4" expl="VC for add_unit" proved="true">
-       <proof prover="2"><result status="valid" time="0.07" steps="277"/></proof>
-       </goal>
-       <goal name="add_unit&#39;vc.2.0.0.0.0.5" expl="VC for add_unit" proved="true">
-       <proof prover="2"><result status="valid" time="0.53" steps="3928"/></proof>
-       </goal>
-       <goal name="add_unit&#39;vc.2.0.0.0.0.6" expl="VC for add_unit" proved="true">
-       <proof prover="2"><result status="valid" time="0.07" steps="281"/></proof>
-       </goal>
-       <goal name="add_unit&#39;vc.2.0.0.0.0.7" expl="VC for add_unit" proved="true">
-       <proof prover="2"><result status="valid" time="0.07" steps="285"/></proof>
-       </goal>
-       <goal name="add_unit&#39;vc.2.0.0.0.0.8" expl="VC for add_unit" proved="true">
-       <proof prover="2"><result status="valid" time="0.78" steps="5494"/></proof>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-     <goal name="add_unit&#39;vc.2.0.0.1" expl="VC for add_unit" proved="true">
-     <proof prover="2"><result status="valid" time="0.07" steps="286"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_unit&#39;vc.3" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="506"/></proof>
-  </goal>
-  <goal name="add_unit&#39;vc.4" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="114"/></proof>
-  </goal>
-  <goal name="add_unit&#39;vc.5" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_unit&#39;vc.5.0" expl="postcondition" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="3.62" steps="25633"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_unit&#39;vc.6" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="74"/></proof>
-  </goal>
-  <goal name="add_unit&#39;vc.7" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_unit&#39;vc.7.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.05" steps="140"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="add_unit&#39;vc.8" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="add_unit&#39;vc.8.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.04" steps="147"/></proof>
-   </goal>
-  </transf>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Formula_Impl2_IsSat" proved="true">
- <goal name="is_sat&#39;vc" expl="VC for is_sat" proved="true">
- <proof prover="2"><result status="valid" time="0.30" steps="1946"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Logic_LogicUtil_Pop_Impl" proved="true">
- <goal name="pop&#39;vc" expl="VC for pop" proved="true">
- <proof prover="2"><result status="valid" time="0.00" steps="38"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Logic_LogicWatches_LemmaPopWatchMaintainsWatcherInvariant_Impl" proved="true">
- <goal name="lemma_pop_watch_maintains_watcher_invariant&#39;vc" expl="VC for lemma_pop_watch_maintains_watcher_invariant" proved="true">
- <proof prover="2"><result status="valid" time="0.03" steps="154"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Watches_Impl0_Unwatch" proved="true">
- <goal name="unwatch&#39;vc" expl="VC for unwatch" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="unwatch&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="48"/></proof>
-  </goal>
-  <goal name="unwatch&#39;vc.1" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="57"/></proof>
-  </goal>
-  <goal name="unwatch&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="381"/></proof>
-  </goal>
-  <goal name="unwatch&#39;vc.3" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="149"/></proof>
-  </goal>
-  <goal name="unwatch&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="495"/></proof>
-  </goal>
-  <goal name="unwatch&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="93"/></proof>
-  </goal>
-  <goal name="unwatch&#39;vc.6" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="646"/></proof>
-  </goal>
-  <goal name="unwatch&#39;vc.7" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="119"/></proof>
-  </goal>
-  <goal name="unwatch&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="614"/></proof>
-  </goal>
-  <goal name="unwatch&#39;vc.9" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="524"/></proof>
-  </goal>
-  <goal name="unwatch&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="769"/></proof>
-  </goal>
-  <goal name="unwatch&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="377"/></proof>
-  </goal>
-  <goal name="unwatch&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="399"/></proof>
-  </goal>
-  <goal name="unwatch&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.81" steps="102221"/></proof>
-  </goal>
-  <goal name="unwatch&#39;vc.14" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.32" steps="687557"/></proof>
-  <proof prover="4"><result status="valid" time="0.74" steps="99518"/></proof>
-  </goal>
-  <goal name="unwatch&#39;vc.15" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="227"/></proof>
-  </goal>
-  <goal name="unwatch&#39;vc.16" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="227"/></proof>
-  </goal>
-  <goal name="unwatch&#39;vc.17" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="unwatch&#39;vc.17.0" expl="assertion" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="unwatch&#39;vc.17.0.0" expl="assertion" proved="true">
-    <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.12" steps="125827"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="unwatch&#39;vc.18" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="478"/></proof>
-  </goal>
-  <goal name="unwatch&#39;vc.19" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="234"/></proof>
-  </goal>
-  <goal name="unwatch&#39;vc.20" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="unwatch&#39;vc.20.0" expl="assertion" proved="true">
-   <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="3.38" steps="421595"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="unwatch&#39;vc.21" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.18" steps="485"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Formula_Impl2_DeleteClause" proved="true">
- <goal name="delete_clause&#39;vc" expl="VC for delete_clause" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="delete_clause&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="60"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="67"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="69"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="72"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="916"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="77"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="78"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="81"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="86"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="84"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="94"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="98"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="100"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.17" steps="1237"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="106"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="107"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="109"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.17" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="114"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.18" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="108"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.19" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="delete_clause&#39;vc.19.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.10" steps="522"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="delete_clause&#39;vc.20" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="delete_clause&#39;vc.20.0" expl="assertion" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="2.09" steps="18592"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="delete_clause&#39;vc.21" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="136"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.22" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="delete_clause&#39;vc.22.0" expl="postcondition" proved="true">
-   <proof prover="4"><result status="valid" time="0.65" steps="76954"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="delete_clause&#39;vc.23" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="delete_clause&#39;vc.23.0" expl="postcondition" proved="true">
-   <proof prover="4"><result status="valid" time="0.79" steps="102653"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="delete_clause&#39;vc.24" expl="postcondition" proved="true">
-  <transf name="inline_all" proved="true" >
-   <goal name="delete_clause&#39;vc.24.0" expl="postcondition" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="delete_clause&#39;vc.24.0.0" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.16" steps="570111"/></proof>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.1" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.16" steps="568648"/></proof>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.2" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.16" steps="569966"/></proof>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.3" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.17" steps="570532"/></proof>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.4" expl="postcondition" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="delete_clause&#39;vc.24.0.4.0" expl="postcondition" proved="true">
-     <proof prover="4" timelimit="30" memlimit="4000"><result status="valid" time="7.92" steps="1376183"/></proof>
-     </goal>
-    </transf>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.5" expl="postcondition" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="delete_clause&#39;vc.24.0.5.0" expl="postcondition" proved="true">
-     <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.23" steps="154511"/></proof>
-     </goal>
-    </transf>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.6" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.16" steps="570532"/></proof>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.7" expl="postcondition" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="delete_clause&#39;vc.24.0.7.0" expl="postcondition" proved="true">
-     <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.18" steps="141297"/></proof>
-     </goal>
-    </transf>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.8" expl="postcondition" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="delete_clause&#39;vc.24.0.8.0" expl="postcondition" proved="true">
-     <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.29" steps="164760"/></proof>
-     </goal>
-    </transf>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.9" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.11" steps="276630"/></proof>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.10" expl="postcondition" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="delete_clause&#39;vc.24.0.10.0" expl="postcondition" proved="true">
-     <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="2.38" steps="244180"/></proof>
-     </goal>
-    </transf>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.11" expl="postcondition" proved="true">
-    <proof prover="4"><result status="valid" time="0.86" steps="130746"/></proof>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.12" expl="postcondition" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="delete_clause&#39;vc.24.0.12.0" expl="postcondition" proved="true">
-     <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="2.41" steps="238987"/></proof>
-     </goal>
-    </transf>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.13" expl="postcondition" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="delete_clause&#39;vc.24.0.13.0" expl="postcondition" proved="true">
-     <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="2.11" steps="239961"/></proof>
-     </goal>
-    </transf>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.14" expl="postcondition" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="delete_clause&#39;vc.24.0.14.0" expl="postcondition" proved="true">
-     <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="2.42" steps="240362"/></proof>
-     </goal>
-    </transf>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.15" expl="postcondition" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="delete_clause&#39;vc.24.0.15.0" expl="postcondition" proved="true">
-     <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="3.92" steps="455223"/></proof>
-     </goal>
-    </transf>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.16" expl="postcondition" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="delete_clause&#39;vc.24.0.16.0" expl="postcondition" proved="true">
-     <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="3.89" steps="455114"/></proof>
-     </goal>
-    </transf>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.17" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.18" steps="583662"/></proof>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.18" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.19" steps="583710"/></proof>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.19" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.22" steps="582355"/></proof>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.20" expl="postcondition" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="delete_clause&#39;vc.24.0.20.0" expl="postcondition" proved="true">
-     <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.01" steps="138411"/></proof>
-     </goal>
-    </transf>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.21" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.19" steps="585018"/></proof>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.22" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.17" steps="585072"/></proof>
-    </goal>
-    <goal name="delete_clause&#39;vc.24.0.23" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.17" steps="584640"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="delete_clause&#39;vc.25" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="246"/></proof>
-  </goal>
-  <goal name="delete_clause&#39;vc.26" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="delete_clause&#39;vc.26.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.07" steps="288"/></proof>
-   </goal>
-  </transf>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Formula_Impl2_DeleteClauses" proved="true">
- <goal name="delete_clauses&#39;vc" expl="VC for delete_clauses" proved="true">
- <proof prover="4"><result status="valid" time="0.60" steps="102657"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Formula_Impl2_SimplifyFormula" proved="true">
- <goal name="simplify_formula&#39;vc" expl="VC for simplify_formula" proved="true">
- <proof prover="2"><result status="valid" time="0.10" steps="363"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Formula_Impl2_ReduceDb" proved="true">
- <goal name="reduceDB&#39;vc" expl="VC for reduceDB" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="reduceDB&#39;vc.0" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="52"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.1" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="53"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.2" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="54"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.3" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="55"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.4" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="56"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.5" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="57"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.6" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="138"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.7" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="126"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.8" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="132"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.9" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="134"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.10" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="134"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.11" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="255"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="82"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.13" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="408"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.14" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="95"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.15" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="95"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.16" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="95"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.17" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="95"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.18" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="95"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.19" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="95"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.20" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="95"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="94"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.22" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="547"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.23" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.24" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.25" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="115"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.26" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="115"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.27" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="115"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.28" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="115"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.29" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="115"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.30" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="112"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.31" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="625"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.32" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="153"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.33" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="153"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.34" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="153"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.35" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="153"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.36" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="153"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.37" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="153"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.38" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="153"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.39" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="158"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.40" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="159"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.41" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="160"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.42" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="162"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.43" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="165"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.44" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="175"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.45" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="744"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.46" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="176"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.47" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="177"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.48" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="179"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.49" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="179"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.50" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="179"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.51" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="181"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.52" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="553"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.53" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="310"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.54" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="158"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.55" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="159"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.56" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="160"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.57" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="162"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.58" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="165"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.59" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="175"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.60" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.15" steps="732"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.61" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="176"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.62" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="177"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.63" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="179"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.64" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="179"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.65" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="179"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.66" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="181"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.67" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="560"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.68" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="137"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.69" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="137"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.70" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="137"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.71" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="137"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.72" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="137"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.73" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="137"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.74" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="147"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.75" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="147"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.76" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="147"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.77" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="147"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.78" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="147"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.79" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="147"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.80" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="147"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.81" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="147"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.82" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="163"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.83" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="164"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.84" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="166"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.85" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="168"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.86" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="172"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.87" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="181"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.88" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="701"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.89" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="182"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.90" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="184"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.91" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="185"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.92" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="186"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.93" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="186"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.94" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="187"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.95" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="560"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.96" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="317"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.97" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="163"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.98" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="164"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.99" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="165"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.100" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="168"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.101" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="172"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.102" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="181"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.103" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="697"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.104" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="182"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.105" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="184"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.106" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="185"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.107" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="186"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.108" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="186"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.109" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="187"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.110" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="567"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.111" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="145"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.112" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="164"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.113" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.27" steps="2136"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.114" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="765"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.115" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="332"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.116" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="784"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.117" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="71"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.118" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="62"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.119" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="63"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.120" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="64"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.121" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="65"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.122" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="66"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.123" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="67"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.124" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="190"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.125" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="151"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.126" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="157"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.127" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="158"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.128" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="158"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.129" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="340"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.130" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="92"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.131" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="828"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.132" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="107"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.133" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="107"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.134" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="107"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.135" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="107"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.136" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="107"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.137" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="107"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.138" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="107"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.139" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="104"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.140" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="1066"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.141" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="128"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.142" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="128"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.143" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="128"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.144" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="128"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.145" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="128"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.146" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="128"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.147" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="128"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.148" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="122"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.149" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.18" steps="1171"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.150" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="166"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.151" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="166"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.152" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="166"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.153" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="166"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.154" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="166"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.155" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="166"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.156" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="166"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.157" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="172"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.158" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="173"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.159" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="174"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.160" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="175"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.161" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="180"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.162" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="188"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.163" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="1337"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.164" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="189"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.165" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="190"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.166" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="192"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.167" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="192"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.168" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="193"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.169" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="195"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.170" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="705"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.171" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="347"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.172" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="172"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.173" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="173"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.174" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="174"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.175" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="175"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.176" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="180"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.177" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="188"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.178" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.21" steps="1396"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.179" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="189"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.180" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="190"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.181" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="192"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.182" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="192"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.183" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="193"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.184" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="195"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.185" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="723"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.186" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="150"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.187" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="150"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.188" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="150"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.189" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="150"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.190" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="150"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.191" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="150"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.192" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="161"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.193" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="161"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.194" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="161"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.195" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="161"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.196" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="161"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.197" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="161"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.198" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="161"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.199" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="161"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.200" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="177"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.201" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="178"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.202" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="179"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.203" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="181"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.204" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="185"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.205" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="193"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.206" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.15" steps="1341"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.207" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="194"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.208" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="196"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.209" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="197"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.210" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="198"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.211" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="198"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.212" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="200"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.213" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="714"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.214" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="354"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.215" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="178"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.216" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="178"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.217" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="179"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.218" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="181"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.219" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="185"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.220" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="193"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.221" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="1416"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.222" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="195"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.223" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="196"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.224" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="197"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.225" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="198"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.226" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="198"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.227" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="200"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.228" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.17" steps="731"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.229" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="158"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.230" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="177"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.231" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.40" steps="2739"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.232" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.18" steps="1251"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.233" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="369"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.234" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.20" steps="1276"/></proof>
-  </goal>
-  <goal name="reduceDB&#39;vc.235" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="125"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Lit_Impl1_LitSet" proved="true">
- <goal name="lit_set&#39;vc" expl="VC for lit_set" proved="true">
- <proof prover="2"><result status="valid" time="0.04" steps="388"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Lit_Impl1_ToWatchidx" proved="true">
- <goal name="to_watchidx&#39;vc" expl="VC for to_watchidx" proved="true">
- <proof prover="2"><result status="valid" time="0.04" steps="541"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Lit_Impl1_PhaseSaved" proved="true">
- <goal name="phase_saved&#39;vc" expl="VC for phase_saved" proved="true">
- <proof prover="2"><result status="valid" time="0.02" steps="132"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Lit_Impl2_Eq" proved="true">
- <goal name="eq&#39;vc" expl="VC for eq" proved="true">
- <proof prover="2"><result status="valid" time="0.04" steps="334"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Lit_Impl3_Not" proved="true">
- <goal name="not&#39;&#39;vc" expl="VC for not&#39;" proved="true">
- <proof prover="2"><result status="valid" time="0.02" steps="168"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Logic_Logic_BoolToAssignedstate_Impl" proved="true">
- <goal name="bool_to_assignedstate&#39;vc" expl="VC for bool_to_assignedstate" proved="true">
- <proof prover="2"><result status="valid" time="0.01" steps="25"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Logic_LogicTrail_LemmaAssignMaintainsLongArePostUnit_Impl" proved="true">
- <goal name="lemma_assign_maintains_long_are_post_unit&#39;vc" expl="VC for lemma_assign_maintains_long_are_post_unit" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="lemma_assign_maintains_long_are_post_unit&#39;vc.0" expl="postcondition" proved="true">
-  <transf name="inline_goal" proved="true" >
-   <goal name="lemma_assign_maintains_long_are_post_unit&#39;vc.0.0" expl="postcondition" proved="true">
-   <transf name="split_all_full" proved="true" >
-    <goal name="lemma_assign_maintains_long_are_post_unit&#39;vc.0.0.0" expl="postcondition" proved="true">
-    <proof prover="2"><result status="valid" time="0.56" steps="4673"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="lemma_assign_maintains_long_are_post_unit&#39;vc.1" expl="postcondition" proved="true">
-  <transf name="inline_goal" proved="true" >
-   <goal name="lemma_assign_maintains_long_are_post_unit&#39;vc.1.0" expl="postcondition" proved="true">
-   <transf name="split_all_full" proved="true" >
-    <goal name="lemma_assign_maintains_long_are_post_unit&#39;vc.1.0.0" expl="postcondition" proved="true">
-    <proof prover="2"><result status="valid" time="0.58" steps="4172"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Logic_LogicTrail_LemmaPushMaintainsLitNotInLess_Impl" proved="true">
- <goal name="lemma_push_maintains_lit_not_in_less&#39;vc" expl="VC for lemma_push_maintains_lit_not_in_less" proved="true">
- <proof prover="2"><result status="valid" time="0.18" steps="1519"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Logic_LogicUtil_LastIdx_Impl" proved="true">
- <goal name="last_idx&#39;vc" expl="VC for last_idx" proved="true">
- <proof prover="2"><result status="valid" time="0.00" steps="0"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Logic_LogicUtil_LastElem_Impl" proved="true">
- <goal name="last_elem&#39;vc" expl="VC for last_elem" proved="true">
- <proof prover="2"><result status="valid" time="0.00" steps="0"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Logic_LogicUtil_LemmaPopMaintainsSorted_Impl" proved="true">
- <goal name="lemma_pop_maintains_sorted&#39;vc" expl="VC for lemma_pop_maintains_sorted" proved="true">
- <proof prover="2"><result status="valid" time="0.02" steps="198"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Logic_LogicWatches_LemmaPushMaintainsWatcherInvariant_Impl" proved="true">
- <goal name="lemma_push_maintains_watcher_invariant&#39;vc" expl="VC for lemma_push_maintains_watcher_invariant" proved="true">
- <proof prover="2"><result status="valid" time="0.03" steps="233"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Solver_GetAssertingLevel" proved="true">
- <goal name="get_asserting_level&#39;vc" expl="VC for get_asserting_level" proved="true">
- <proof prover="2"><result status="valid" time="0.12" steps="1215"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Assignments_Impl1" proved="true">
- <goal name="IndexMut1.index_mut&#39;refn&#39;vc" expl="VC for index_mut&#39;refn" proved="true">
- <proof prover="2"><result status="valid" time="0.01" steps="28"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Trail_Impl0_Backstep" proved="true">
- <goal name="backstep&#39;vc" expl="VC for backstep" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="backstep&#39;vc.0" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backstep&#39;vc.0.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.03" steps="100"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backstep&#39;vc.1" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backstep&#39;vc.1.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.04" steps="105"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backstep&#39;vc.2" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backstep&#39;vc.2.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.04" steps="107"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backstep&#39;vc.3" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backstep&#39;vc.3.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.03" steps="108"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backstep&#39;vc.4" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="60"/></proof>
-  </goal>
-  <goal name="backstep&#39;vc.5" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backstep&#39;vc.5.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.04" steps="109"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backstep&#39;vc.6" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backstep&#39;vc.6.0" expl="postcondition" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="backstep&#39;vc.6.0.0" expl="postcondition" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="backstep&#39;vc.6.0.0.0" expl="VC for backstep" proved="true">
-     <proof prover="2"><result status="valid" time="0.16" steps="118"/></proof>
-     </goal>
-     <goal name="backstep&#39;vc.6.0.0.1" expl="VC for backstep" proved="true">
-     <proof prover="2"><result status="valid" time="0.12" steps="123"/></proof>
-     </goal>
-     <goal name="backstep&#39;vc.6.0.0.2" expl="VC for backstep" proved="true">
-     <proof prover="2"><result status="valid" time="0.08" steps="125"/></proof>
-     </goal>
-     <goal name="backstep&#39;vc.6.0.0.3" expl="VC for backstep" proved="true">
-     <proof prover="2"><result status="valid" time="0.05" steps="126"/></proof>
-     </goal>
-     <goal name="backstep&#39;vc.6.0.0.4" expl="VC for backstep" proved="true">
-     <proof prover="2"><result status="valid" time="0.05" steps="119"/></proof>
-     </goal>
-     <goal name="backstep&#39;vc.6.0.0.5" expl="VC for backstep" proved="true">
-     <proof prover="2"><result status="valid" time="0.05" steps="130"/></proof>
-     </goal>
-     <goal name="backstep&#39;vc.6.0.0.6" expl="VC for backstep" proved="true">
-     <proof prover="2"><result status="valid" time="0.05" steps="121"/></proof>
-     </goal>
-     <goal name="backstep&#39;vc.6.0.0.7" expl="VC for backstep" proved="true">
-     <proof prover="2"><result status="valid" time="0.13" steps="131"/></proof>
-     </goal>
-     <goal name="backstep&#39;vc.6.0.0.8" expl="VC for backstep" proved="true">
-     <proof prover="2"><result status="valid" time="0.06" steps="134"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backstep&#39;vc.7" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="94"/></proof>
-  </goal>
-  <goal name="backstep&#39;vc.8" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="68"/></proof>
-  </goal>
-  <goal name="backstep&#39;vc.9" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backstep&#39;vc.9.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.07" steps="658"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backstep&#39;vc.10" expl="integer overflow" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backstep&#39;vc.10.0" expl="integer overflow" proved="true">
-   <proof prover="2"><result status="valid" time="0.09" steps="936"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backstep&#39;vc.11" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backstep&#39;vc.11.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.04" steps="161"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backstep&#39;vc.12" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="77"/></proof>
-  </goal>
-  <goal name="backstep&#39;vc.13" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backstep&#39;vc.13.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.11" steps="1143"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backstep&#39;vc.14" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backstep&#39;vc.14.0" expl="assertion" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="2.01" steps="14237"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backstep&#39;vc.15" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backstep&#39;vc.15.0" expl="postcondition" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="backstep&#39;vc.15.0.0" expl="postcondition" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="backstep&#39;vc.15.0.0.0" expl="VC for backstep" proved="true">
-     <proof prover="2"><result status="valid" time="0.21" steps="1682"/></proof>
-     </goal>
-     <goal name="backstep&#39;vc.15.0.0.1" expl="VC for backstep" proved="true">
-     <proof prover="2"><result status="valid" time="0.18" steps="1139"/></proof>
-     </goal>
-     <goal name="backstep&#39;vc.15.0.0.2" expl="VC for backstep" proved="true">
-     <proof prover="2"><result status="valid" time="0.12" steps="573"/></proof>
-     </goal>
-     <goal name="backstep&#39;vc.15.0.0.3" expl="VC for backstep" proved="true">
-     <proof prover="2"><result status="valid" time="0.39" steps="3226"/></proof>
-     </goal>
-     <goal name="backstep&#39;vc.15.0.0.4" expl="VC for backstep" proved="true">
-     <proof prover="2"><result status="valid" time="0.38" steps="3097"/></proof>
-     </goal>
-     <goal name="backstep&#39;vc.15.0.0.5" expl="VC for backstep" proved="true">
-     <proof prover="2"><result status="valid" time="0.06" steps="265"/></proof>
-     </goal>
-     <goal name="backstep&#39;vc.15.0.0.6" expl="VC for backstep" proved="true">
-     <proof prover="2"><result status="valid" time="1.50" steps="11214"/></proof>
-     </goal>
-     <goal name="backstep&#39;vc.15.0.0.7" expl="VC for backstep" proved="true">
-     <proof prover="2"><result status="valid" time="0.18" steps="1264"/></proof>
-     </goal>
-     <goal name="backstep&#39;vc.15.0.0.8" expl="VC for backstep" proved="true">
-     <proof prover="2"><result status="valid" time="0.29" steps="2120"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backstep&#39;vc.16" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="179"/></proof>
-  </goal>
-  <goal name="backstep&#39;vc.17" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.17" steps="1600"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Trail_Impl0_BacktrackTo" proved="true">
- <goal name="backtrack_to&#39;vc" expl="VC for backtrack_to" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="backtrack_to&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="54"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.1" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="716"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="65"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.3" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="176"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.4" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="180"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.5" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="105"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.6" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="188"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.7" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="110"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.8" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="113"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.9" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="113"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.10" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="118"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.11" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="145"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.12" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="145"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.13" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="145"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.14" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="164"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.15" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="164"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.16" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="164"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.17" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="351"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.18" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="499"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.19" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="500"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.20" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="502"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.21" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="187"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.22" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="503"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.23" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.23.0" expl="postcondition" proved="true">
-   <proof prover="4"><result status="valid" time="0.66" steps="81883"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.24" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.24.0" expl="postcondition" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="backtrack_to&#39;vc.24.0.0" expl="postcondition" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="backtrack_to&#39;vc.24.0.0.0" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.11" steps="561"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.24.0.0.1" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.13" steps="725"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.24.0.0.2" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.19" steps="1053"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.24.0.0.3" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.21" steps="1109"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.24.0.0.4" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.22" steps="1173"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.24.0.0.5" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.23" steps="1177"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.24.0.0.6" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.12" steps="699"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.24.0.0.7" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.23" steps="1275"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.24.0.0.8" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.24" steps="1335"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.24.0.0.9" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.25" steps="1327"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.25" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.25.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.08" steps="566"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.26" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="177"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.27" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="177"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.28" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="177"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.29" expl="unreachable point" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="177"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.30" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.30.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.07" steps="190"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.31" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="177"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.32" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="177"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.33" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="177"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.34" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="177"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.35" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.35.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.06" steps="190"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.36" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="177"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.37" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="376"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.38" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="191"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.39" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="213"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.40" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="429"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.41" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="430"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.42" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="431"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.43" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="222"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.44" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="432"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.45" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.45.0" expl="postcondition" proved="true">
-   <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.25" steps="128369"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.46" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.46.0" expl="postcondition" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="backtrack_to&#39;vc.46.0.0" expl="postcondition" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="backtrack_to&#39;vc.46.0.0.0" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.12" steps="490"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.46.0.0.1" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.13" steps="643"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.46.0.0.2" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.21" steps="1058"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.46.0.0.3" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.22" steps="1113"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.46.0.0.4" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.23" steps="1177"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.46.0.0.5" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.25" steps="1177"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.46.0.0.6" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.12" steps="636"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.46.0.0.7" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.21" steps="1248"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.46.0.0.8" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.23" steps="1325"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.46.0.0.9" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.24" steps="1316"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.47" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.47.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.08" steps="496"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.48" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="424"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.49" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="212"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.50" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="214"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.51" expl="unreachable point" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="227"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.52" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.52.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.11" steps="526"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.53" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="234"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.54" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="234"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.55" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="491"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.56" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.56.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.12" steps="536"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.57" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.57.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.32" steps="2063"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.58" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="238"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.59" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="308"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.60" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="306"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.61" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="175"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.62" expl="unreachable point" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="188"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.63" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.63.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.08" steps="403"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.64" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="194"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.65" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="369"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.66" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.66.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.06" steps="412"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.67" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.67.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.16" steps="1603"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.68" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="197"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.69" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="138"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.70" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="605"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.71" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="149"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.72" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="153"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.73" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="150"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.74" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="341"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.75" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="866"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.76" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="367"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.77" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="171"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.78" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.78.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.07" steps="174"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.79" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="177"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.80" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="177"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.81" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="177"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.82" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="177"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.83" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="177"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.84" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="838"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.85" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="369"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.86" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="173"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.87" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.87.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.07" steps="176"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.88" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="179"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.89" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="180"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.90" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="180"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.91" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="180"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.92" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="426"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.93" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="195"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.94" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="209"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.95" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="213"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.96" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="115"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.97" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="221"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.98" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="119"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.99" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="122"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.100" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="122"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.101" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="259"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.102" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="155"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.103" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="155"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.104" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="155"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.105" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="173"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.106" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="173"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.107" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="173"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.108" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="394"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.109" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="560"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.110" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="561"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.111" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="562"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.112" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="197"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.113" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="562"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.114" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.114.0" expl="postcondition" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="backtrack_to&#39;vc.114.0.0" expl="postcondition" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="backtrack_to&#39;vc.114.0.0.0" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.56" steps="3630"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.114.0.0.1" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.23" steps="655"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.115" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.115.0" expl="postcondition" proved="true">
-   <proof prover="4"><result status="valid" time="0.67" steps="85278"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.116" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.116.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.07" steps="627"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.117" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="186"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.118" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="186"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.119" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="186"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.120" expl="unreachable point" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="186"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.121" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.121.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.06" steps="200"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.122" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="186"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.123" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="186"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.124" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="186"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.125" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="186"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.126" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.126.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.06" steps="200"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.127" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="186"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.128" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="423"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.129" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="200"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.130" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="222"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.131" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="478"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.132" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="479"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.133" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="481"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.134" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="231"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.135" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="481"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.136" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.136.0" expl="postcondition" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="backtrack_to&#39;vc.136.0.0" expl="postcondition" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="backtrack_to&#39;vc.136.0.0.0" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.67" steps="3884"/></proof>
-     </goal>
-     <goal name="backtrack_to&#39;vc.136.0.0.1" expl="VC for backtrack_to" proved="true">
-     <proof prover="2"><result status="valid" time="0.63" steps="3179"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.137" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.137.0" expl="postcondition" proved="true">
-   <proof prover="4"><result status="valid" time="0.74" steps="84565"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.138" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.138.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.08" steps="545"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.139" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="473"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.140" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="222"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.141" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="223"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.142" expl="unreachable point" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="236"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.143" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.143.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.06" steps="574"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.144" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="243"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.145" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="243"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.146" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="538"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.147" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.147.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.11" steps="585"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.148" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.148.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.33" steps="2208"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.149" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="247"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.150" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="352"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.151" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="349"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.152" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="184"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.153" expl="unreachable point" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="198"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.154" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.154.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.11" steps="446"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.155" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="203"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.156" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="411"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.157" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.157.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.06" steps="454"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.158" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="backtrack_to&#39;vc.158.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.17" steps="1724"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="backtrack_to&#39;vc.159" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="206"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.160" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="147"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.161" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="379"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.162" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="158"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.163" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="162"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.164" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="160"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.165" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="384"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.166" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="962"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.167" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="411"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.168" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="182"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.169" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="185"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.170" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="187"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.171" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="189"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.172" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="189"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.173" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="189"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.174" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="189"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.175" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="936"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.176" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="413"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.177" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="184"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.178" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="186"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.179" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="190"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.180" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="191"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.181" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="191"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.182" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="191"/></proof>
-  </goal>
-  <goal name="backtrack_to&#39;vc.183" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="474"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Trail_Impl0_BacktrackSafe" proved="true">
- <goal name="backtrack_safe&#39;vc" expl="VC for backtrack_safe" proved="true">
- <proof prover="2"><result status="valid" time="0.12" steps="835"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Trail_Impl0_EnqAssignment" proved="true">
- <goal name="enq_assignment&#39;vc" expl="VC for enq_assignment" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="enq_assignment&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="384"/></proof>
-  </goal>
-  <goal name="enq_assignment&#39;vc.1" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_assignment&#39;vc.1.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.06" steps="363"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_assignment&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="82"/></proof>
-  </goal>
-  <goal name="enq_assignment&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="84"/></proof>
-  </goal>
-  <goal name="enq_assignment&#39;vc.4" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_assignment&#39;vc.4.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.05" steps="336"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_assignment&#39;vc.5" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_assignment&#39;vc.5.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.04" steps="191"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_assignment&#39;vc.6" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_assignment&#39;vc.6.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.04" steps="191"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_assignment&#39;vc.7" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="93"/></proof>
-  </goal>
-  <goal name="enq_assignment&#39;vc.8" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="94"/></proof>
-  </goal>
-  <goal name="enq_assignment&#39;vc.9" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_assignment&#39;vc.9.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="1.26" steps="10530"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_assignment&#39;vc.10" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_assignment&#39;vc.10.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.37" steps="2692"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_assignment&#39;vc.11" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_assignment&#39;vc.11.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.10" steps="889"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_assignment&#39;vc.12" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_assignment&#39;vc.12.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.16" steps="1622"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_assignment&#39;vc.13" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_assignment&#39;vc.13.0" expl="postcondition" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="enq_assignment&#39;vc.13.0.0" expl="postcondition" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="enq_assignment&#39;vc.13.0.0.0" expl="VC for enq_assignment" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="enq_assignment&#39;vc.13.0.0.0.0" expl="VC for enq_assignment" proved="true">
-      <transf name="inline_goal" proved="true" >
-       <goal name="enq_assignment&#39;vc.13.0.0.0.0.0" expl="VC for enq_assignment" proved="true">
-       <transf name="split_all_full" proved="true" >
-        <goal name="enq_assignment&#39;vc.13.0.0.0.0.0.0" expl="VC for enq_assignment" proved="true">
-        <proof prover="2"><result status="valid" time="0.06" steps="239"/></proof>
-        </goal>
-        <goal name="enq_assignment&#39;vc.13.0.0.0.0.0.1" expl="VC for enq_assignment" proved="true">
-        <proof prover="2"><result status="valid" time="0.15" steps="1269"/></proof>
-        </goal>
-        <goal name="enq_assignment&#39;vc.13.0.0.0.0.0.2" expl="VC for enq_assignment" proved="true">
-        <proof prover="2"><result status="valid" time="0.12" steps="981"/></proof>
-        </goal>
-        <goal name="enq_assignment&#39;vc.13.0.0.0.0.0.3" expl="VC for enq_assignment" proved="true">
-        <proof prover="2"><result status="valid" time="0.07" steps="247"/></proof>
-        </goal>
-        <goal name="enq_assignment&#39;vc.13.0.0.0.0.0.4" expl="VC for enq_assignment" proved="true">
-        <proof prover="2"><result status="valid" time="0.07" steps="238"/></proof>
-        </goal>
-        <goal name="enq_assignment&#39;vc.13.0.0.0.0.0.5" expl="VC for enq_assignment" proved="true">
-        <proof prover="2"><result status="valid" time="0.06" steps="250"/></proof>
-        </goal>
-        <goal name="enq_assignment&#39;vc.13.0.0.0.0.0.6" expl="VC for enq_assignment" proved="true">
-        <proof prover="2"><result status="valid" time="0.87" steps="6416"/></proof>
-        </goal>
-        <goal name="enq_assignment&#39;vc.13.0.0.0.0.0.7" expl="VC for enq_assignment" proved="true">
-        <proof prover="2"><result status="valid" time="0.10" steps="1074"/></proof>
-        </goal>
-        <goal name="enq_assignment&#39;vc.13.0.0.0.0.0.8" expl="VC for enq_assignment" proved="true">
-        <transf name="split_vc" proved="true" >
-         <goal name="enq_assignment&#39;vc.13.0.0.0.0.0.8.0" expl="VC for enq_assignment" proved="true">
-         <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="2.06" steps="15625"/></proof>
-         </goal>
-        </transf>
-        </goal>
-       </transf>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-     <goal name="enq_assignment&#39;vc.13.0.0.1" expl="VC for enq_assignment" proved="true">
-     <proof prover="2"><result status="valid" time="0.10" steps="591"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_assignment&#39;vc.14" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_assignment&#39;vc.14.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.08" steps="549"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_assignment&#39;vc.15" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_assignment&#39;vc.15.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.06" steps="240"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_assignment&#39;vc.16" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="172"/></proof>
-  </goal>
-  <goal name="enq_assignment&#39;vc.17" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="191"/></proof>
-  </goal>
-  <goal name="enq_assignment&#39;vc.18" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_assignment&#39;vc.18.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.06" steps="247"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_assignment&#39;vc.19" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_assignment&#39;vc.19.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.04" steps="246"/></proof>
-   </goal>
-  </transf>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Solver_Impl0_HandleLongClause" proved="true">
- <goal name="handle_long_clause&#39;vc" expl="VC for handle_long_clause" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="handle_long_clause&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="99"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="93"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="68"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="104"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="78"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="79"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="121"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="82"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="135"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="303"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="142"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="147"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="148"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="98"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="102"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="713"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="123"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.17" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="124"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.18" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="125"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="126"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="190"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="135"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.22" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="138"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.23" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="195"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.24" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="187"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="188"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.26" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="191"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.27" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="605"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.28" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="309"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.29" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="310"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.30" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="349"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.31" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="376"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.32" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.17" steps="863"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.33" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="386"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.34" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="359"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.35" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="372"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.36" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="373"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.37" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="376"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.38" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="387"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.39" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="388"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.40" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="251"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.41" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="253"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.42" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.51" steps="2906"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.43" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.71" steps="3960"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.44" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="1.03" steps="5553"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.45" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="1.11" steps="6705"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.46" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.27" steps="1281"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.47" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="273"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.48" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="393"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.49" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="408"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.50" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="408"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.51" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="412"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.52" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="423"/></proof>
-  </goal>
-  <goal name="handle_long_clause&#39;vc.53" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="424"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Trail_Impl0_LearnUnit" proved="true">
- <goal name="learn_unit&#39;vc" expl="VC for learn_unit" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="learn_unit&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="103"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="106"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="631"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="144"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="151"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="106"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="107"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="916"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.21" steps="1443"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="969"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.20" steps="1959"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="559"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="124"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.13" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="191"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.14" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="195"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.15" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="202"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.16" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="201"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.17" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="117"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.18" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="121"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.19" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="127"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.20" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="126"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="66"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.22" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="67"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.23" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="68"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.24" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="70"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="74"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.26" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="134"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.27" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="137"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.28" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="934"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.29" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="177"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.30" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="185"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.31" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="126"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.32" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="128"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.33" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.19" steps="1226"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.34" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.34" steps="1957"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.35" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="1229"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.36" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.43" steps="2638"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.37" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="671"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.38" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="147"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.39" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="223"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.40" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="227"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.41" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="235"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.42" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="233"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.43" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="149"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.44" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="153"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.45" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="160"/></proof>
-  </goal>
-  <goal name="learn_unit&#39;vc.46" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="158"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Solver_Impl0_HandleConflict" proved="true">
- <goal name="handle_conflict&#39;vc" expl="VC for handle_conflict" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="handle_conflict&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="60"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="95"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="64"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="66"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="72"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="74"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.6" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="108"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.7" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="115"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.8" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="117"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.9" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="120"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.10" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="126"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.11" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="235"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.12" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="126"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="74"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="75"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="129"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="139"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.17" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="85"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.18" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="142"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="137"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="146"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="120"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.22" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="123"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.23" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="126"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.24" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="128"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="135"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.26" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="886"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.27" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="498"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.28" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="154"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.29" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="handle_conflict&#39;vc.29.0" expl="precondition" proved="true">
-   <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.37" steps="145007"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="handle_conflict&#39;vc.30" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="156"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.31" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="157"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.32" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="157"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.33" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="158"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.34" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="174"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.35" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="176"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.36" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="177"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.37" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="178"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.38" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="263"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.39" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="277"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.40" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="279"/></proof>
-  <proof prover="4"><result status="valid" time="0.67" steps="74294"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.41" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="283"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.42" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="291"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.43" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.25" steps="543"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.44" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.20" steps="297"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.45" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="200"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.46" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="212"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.47" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="handle_conflict&#39;vc.47.0" expl="postcondition" proved="true">
-   <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.33" steps="143137"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="handle_conflict&#39;vc.48" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="217"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.49" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="225"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.50" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.20" steps="227"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.51" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="231"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.52" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="94"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.53" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="95"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.54" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="96"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.55" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="100"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.56" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="103"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.57" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="157"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.58" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="159"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.59" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="206"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.60" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="211"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.61" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="168"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.62" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="177"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.63" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="handle_conflict&#39;vc.63.0" expl="postcondition" proved="true">
-   <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="0.51" steps="70981"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="handle_conflict&#39;vc.64" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="182"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.65" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="189"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.66" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="190"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.67" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="196"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.68" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="80"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.69" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="81"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.70" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="82"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.71" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="137"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.72" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="85"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.73" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="143"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.74" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="146"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.75" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="125"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.76" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="126"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.77" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="128"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.78" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="451"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.79" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="198"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.80" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="209"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.81" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="handle_conflict&#39;vc.81.0" expl="postcondition" proved="true">
-   <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="0.58" steps="72009"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="handle_conflict&#39;vc.82" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="215"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.83" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="221"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.84" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="223"/></proof>
-  </goal>
-  <goal name="handle_conflict&#39;vc.85" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="229"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Util_Min" proved="true">
- <goal name="min&#39;vc" expl="VC for min" proved="true">
- <proof prover="2"><result status="valid" time="0.02" steps="355"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Util_Max" proved="true">
- <goal name="max&#39;vc" expl="VC for max" proved="true">
- <proof prover="2"><result status="valid" time="0.01" steps="150"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_UnitProp_Swap" proved="true">
- <goal name="swap&#39;vc" expl="VC for swap" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="swap&#39;vc.0" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="swap&#39;vc.0.0" expl="assertion" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="0.16" steps="776"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="swap&#39;vc.1" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="233"/></proof>
-  </goal>
-  <goal name="swap&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="74"/></proof>
-  </goal>
-  <goal name="swap&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="187"/></proof>
-  </goal>
-  <goal name="swap&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="200"/></proof>
-  </goal>
-  <goal name="swap&#39;vc.5" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="swap&#39;vc.5.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.13" steps="567"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="swap&#39;vc.6" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.24" steps="573640"/></proof>
-  </goal>
-  <goal name="swap&#39;vc.7" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="swap&#39;vc.7.0" expl="assertion" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="swap&#39;vc.7.0.0" expl="assertion" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="swap&#39;vc.7.0.0.0" expl="assertion" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="swap&#39;vc.7.0.0.0.0" expl="assertion" proved="true">
-      <transf name="inline_goal" proved="true" >
-       <goal name="swap&#39;vc.7.0.0.0.0.0" expl="assertion" proved="true">
-       <transf name="inline_all" proved="true" >
-        <goal name="swap&#39;vc.7.0.0.0.0.0.0" expl="assertion" proved="true">
-        <transf name="split_vc" proved="true" >
-         <goal name="swap&#39;vc.7.0.0.0.0.0.0.0" expl="assertion" proved="true">
-         <proof prover="4" timelimit="30" memlimit="4000"><result status="valid" time="8.65" steps="1208507"/></proof>
-         </goal>
-        </transf>
-        </goal>
-       </transf>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="swap&#39;vc.8" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="swap&#39;vc.8.0" expl="assertion" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="swap&#39;vc.8.0.0" expl="assertion" proved="true">
-    <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="3.50" steps="33706"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="swap&#39;vc.9" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="swap&#39;vc.9.0" expl="assertion" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="swap&#39;vc.9.0.0" expl="assertion" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="swap&#39;vc.9.0.0.0" expl="assertion" proved="true">
-     <proof prover="4"><result status="valid" time="0.94" steps="119510"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="swap&#39;vc.10" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="swap&#39;vc.10.0" expl="assertion" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="swap&#39;vc.10.0.0" expl="assertion" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="swap&#39;vc.10.0.0.0" expl="assertion" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="swap&#39;vc.10.0.0.0.0" expl="assertion" proved="true">
-      <transf name="inline_goal" proved="true" >
-       <goal name="swap&#39;vc.10.0.0.0.0.0" expl="assertion" proved="true">
-       <transf name="split_all_full" proved="true" >
-        <goal name="swap&#39;vc.10.0.0.0.0.0.0" expl="VC for swap" proved="true">
-        <proof prover="2"><result status="valid" time="0.64" steps="4094"/></proof>
-        </goal>
-        <goal name="swap&#39;vc.10.0.0.0.0.0.1" expl="VC for swap" proved="true">
-        <transf name="split_vc" proved="true" >
-         <goal name="swap&#39;vc.10.0.0.0.0.0.1.0" expl="VC for swap" proved="true">
-         <transf name="inline_goal" proved="true" >
-          <goal name="swap&#39;vc.10.0.0.0.0.0.1.0.0" expl="VC for swap" proved="true">
-          <transf name="split_all_full" proved="true" >
-           <goal name="swap&#39;vc.10.0.0.0.0.0.1.0.0.0" expl="VC for swap" proved="true">
-           <proof prover="2"><result status="valid" time="0.09" steps="307"/></proof>
-           </goal>
-           <goal name="swap&#39;vc.10.0.0.0.0.0.1.0.0.1" expl="VC for swap" proved="true">
-           <proof prover="3"><result status="valid" time="0.28" steps="632370"/></proof>
-           <proof prover="4"><result status="valid" time="0.84" steps="118511"/></proof>
-           </goal>
-           <goal name="swap&#39;vc.10.0.0.0.0.0.1.0.0.2" expl="VC for swap" proved="true">
-           <proof prover="4"><result status="valid" time="0.91" steps="119095"/></proof>
-           </goal>
-           <goal name="swap&#39;vc.10.0.0.0.0.0.1.0.0.3" expl="VC for swap" proved="true">
-           <proof prover="2"><result status="valid" time="0.10" steps="307"/></proof>
-           </goal>
-           <goal name="swap&#39;vc.10.0.0.0.0.0.1.0.0.4" expl="VC for swap" proved="true">
-           <proof prover="3"><result status="valid" time="0.28" steps="632385"/></proof>
-           <proof prover="4"><result status="valid" time="0.83" steps="118594"/></proof>
-           </goal>
-           <goal name="swap&#39;vc.10.0.0.0.0.0.1.0.0.5" expl="VC for swap" proved="true">
-           <transf name="split_vc" proved="true" >
-            <goal name="swap&#39;vc.10.0.0.0.0.0.1.0.0.5.0" expl="VC for swap" proved="true">
-            <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="0.99" steps="124576"/></proof>
-            </goal>
-           </transf>
-           </goal>
-          </transf>
-          </goal>
-         </transf>
-         </goal>
-        </transf>
-        </goal>
-       </transf>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="swap&#39;vc.11" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="swap&#39;vc.11.0" expl="postcondition" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="swap&#39;vc.11.0.0" expl="postcondition" proved="true">
-    <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.71" steps="204790"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="swap&#39;vc.12" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="swap&#39;vc.12.0" expl="postcondition" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="swap&#39;vc.12.0.0" expl="postcondition" proved="true">
-    <transf name="inline_goal" proved="true" >
-     <goal name="swap&#39;vc.12.0.0.0" expl="postcondition" proved="true">
-     <transf name="split_all_full" proved="true" >
-      <goal name="swap&#39;vc.12.0.0.0.0" expl="VC for swap" proved="true">
-      <transf name="split_vc" proved="true" >
-       <goal name="swap&#39;vc.12.0.0.0.0.0" expl="VC for swap" proved="true">
-       <transf name="inline_goal" proved="true" >
-        <goal name="swap&#39;vc.12.0.0.0.0.0.0" expl="VC for swap" proved="true">
-        <transf name="split_all_full" proved="true" >
-         <goal name="swap&#39;vc.12.0.0.0.0.0.0.0" expl="VC for swap" proved="true">
-         <proof prover="2"><result status="valid" time="0.20" steps="1270"/></proof>
-         </goal>
-         <goal name="swap&#39;vc.12.0.0.0.0.0.0.1" expl="VC for swap" proved="true">
-         <proof prover="2"><result status="valid" time="0.11" steps="308"/></proof>
-         </goal>
-         <goal name="swap&#39;vc.12.0.0.0.0.0.0.2" expl="VC for swap" proved="true">
-         <proof prover="2"><result status="valid" time="0.22" steps="1214"/></proof>
-         </goal>
-         <goal name="swap&#39;vc.12.0.0.0.0.0.0.3" expl="VC for swap" proved="true">
-         <transf name="split_vc" proved="true" >
-          <goal name="swap&#39;vc.12.0.0.0.0.0.0.3.0" expl="VC for swap" proved="true">
-          <transf name="inline_goal" proved="true" >
-           <goal name="swap&#39;vc.12.0.0.0.0.0.0.3.0.0" expl="VC for swap" proved="true">
-           <proof prover="2" timelimit="30" memlimit="4000"><result status="valid" time="4.48" steps="33153"/></proof>
-           </goal>
-          </transf>
-          </goal>
-         </transf>
-         </goal>
-         <goal name="swap&#39;vc.12.0.0.0.0.0.0.4" expl="VC for swap" proved="true">
-         <proof prover="2"><result status="valid" time="0.15" steps="662"/></proof>
-         </goal>
-         <goal name="swap&#39;vc.12.0.0.0.0.0.0.5" expl="VC for swap" proved="true">
-         <proof prover="2"><result status="valid" time="0.12" steps="314"/></proof>
-         </goal>
-         <goal name="swap&#39;vc.12.0.0.0.0.0.0.6" expl="VC for swap" proved="true">
-         <proof prover="2"><result status="valid" time="0.16" steps="663"/></proof>
-         </goal>
-         <goal name="swap&#39;vc.12.0.0.0.0.0.0.7" expl="VC for swap" proved="true">
-         <proof prover="2"><result status="valid" time="0.15" steps="666"/></proof>
-         </goal>
-         <goal name="swap&#39;vc.12.0.0.0.0.0.0.8" expl="VC for swap" proved="true">
-         <transf name="split_vc" proved="true" >
-          <goal name="swap&#39;vc.12.0.0.0.0.0.0.8.0" expl="VC for swap" proved="true">
-          <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="1.57" steps="14257"/></proof>
-          </goal>
-         </transf>
-         </goal>
-        </transf>
-        </goal>
-       </transf>
-       </goal>
-      </transf>
-      </goal>
-      <goal name="swap&#39;vc.12.0.0.0.1" expl="VC for swap" proved="true">
-      <proof prover="2"><result status="valid" time="0.14" steps="688"/></proof>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="swap&#39;vc.13" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="swap&#39;vc.13.0" expl="postcondition" proved="true">
-   <proof prover="4"><result status="valid" time="0.84" steps="103206"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="swap&#39;vc.14" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="276"/></proof>
-  </goal>
-  <goal name="swap&#39;vc.15" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="swap&#39;vc.15.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.07" steps="327"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="swap&#39;vc.16" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="swap&#39;vc.16.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.08" steps="333"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="swap&#39;vc.17" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="swap&#39;vc.17.0" expl="postcondition" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="swap&#39;vc.17.0.0" expl="postcondition" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="swap&#39;vc.17.0.0.0" expl="VC for swap" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="swap&#39;vc.17.0.0.0.0" expl="VC for swap" proved="true">
-      <transf name="inline_goal" proved="true" >
-       <goal name="swap&#39;vc.17.0.0.0.0.0" expl="VC for swap" proved="true">
-       <proof prover="2" timelimit="30" memlimit="4000"><result status="valid" time="26.80" steps="367202"/></proof>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-     <goal name="swap&#39;vc.17.0.0.1" expl="VC for swap" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="swap&#39;vc.17.0.0.1.0" expl="VC for swap" proved="true">
-      <transf name="inline_goal" proved="true" >
-       <goal name="swap&#39;vc.17.0.0.1.0.0" expl="VC for swap" proved="true">
-       <proof prover="2" timelimit="30" memlimit="4000"><result status="valid" time="26.73" steps="369991"/></proof>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Watches_UpdateWatch" proved="true">
- <goal name="update_watch&#39;vc" expl="VC for update_watch" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="update_watch&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="58"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="524"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.2" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="563"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="682"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="542"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="299"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="335"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="355"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.8" expl="assertion" proved="true">
-  <proof prover="4"><result status="valid" time="0.70" steps="100347"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.9" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="update_watch&#39;vc.9.0" expl="assertion" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="update_watch&#39;vc.9.0.0" expl="assertion" proved="true">
-    <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.39" steps="161108"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="update_watch&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="169"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.11" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.26" steps="691590"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.12" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="199"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.13" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.16" steps="462"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.14" expl="assertion" proved="true">
-  <proof prover="4"><result status="valid" time="0.85" steps="99302"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.15" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="update_watch&#39;vc.15.0" expl="assertion" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="update_watch&#39;vc.15.0.0" expl="assertion" proved="true">
-    <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="2.52" steps="259008"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="update_watch&#39;vc.16" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="update_watch&#39;vc.16.0" expl="assertion" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="update_watch&#39;vc.16.0.0" expl="assertion" proved="true">
-    <proof prover="4" timelimit="30" memlimit="4000"><result status="valid" time="11.07" steps="1981902"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="update_watch&#39;vc.17" expl="assertion" proved="true">
-  <proof prover="4"><result status="valid" time="0.92" steps="118427"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.18" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.84" steps="4214"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.19" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="226"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.36" steps="1733"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="287"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.22" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="update_watch&#39;vc.22.0" expl="assertion" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="update_watch&#39;vc.22.0.0" expl="assertion" proved="true">
-    <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.55" steps="153496"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="update_watch&#39;vc.23" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.52" steps="972084"/></proof>
-  </goal>
-  <goal name="update_watch&#39;vc.24" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="update_watch&#39;vc.24.0" expl="assertion" proved="true">
-   <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="7.12" steps="1096666"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="update_watch&#39;vc.25" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.22" steps="676"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_UnitProp_CheckAndMoveWatch" proved="true">
- <goal name="check_and_move_watch&#39;vc" expl="VC for check_and_move_watch" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="check_and_move_watch&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="124"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="138"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.16" steps="1481"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.3" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="147"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.4" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="152"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.5" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="154"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.6" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="165"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.7" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.21" steps="358"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.8" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="170"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.9" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="312"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.10" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="110"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="176"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="182"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="125"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="127"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="128"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="130"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.17" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="136"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.18" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="139"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="143"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="147"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="179"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.22" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="181"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.23" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="182"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.24" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="381"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="199"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.26" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="201"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.27" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="202"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.28" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.31" steps="1721"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.29" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="231"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.30" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="232"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.31" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="237"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.32" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="241"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.33" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="242"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.34" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="245"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.35" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="480"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.36" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.16" steps="486"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.37" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="291"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.38" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.16" steps="443"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.39" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.17" steps="456"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.40" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.17" steps="458"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.41" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.18" steps="477"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.42" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.28" steps="988"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.43" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.17" steps="483"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.44" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="244"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.45" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.18" steps="490"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.46" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="129"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.47" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="130"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.48" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="131"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.49" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="134"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.50" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="140"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.51" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="143"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.52" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="146"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.53" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="150"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.54" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="187"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.55" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="188"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.56" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="193"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.57" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="196"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.58" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="197"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.59" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="200"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.60" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="393"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.61" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="400"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.62" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="242"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.63" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="358"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.64" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="368"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.65" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="370"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.66" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="389"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.67" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="388"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.68" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="394"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.69" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="201"/></proof>
-  </goal>
-  <goal name="check_and_move_watch&#39;vc.70" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="400"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_UnitProp_ExistsNewWatchableLit" proved="true">
- <goal name="exists_new_watchable_lit&#39;vc" expl="VC for exists_new_watchable_lit" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="exists_new_watchable_lit&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="64"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="165"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.2" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="765"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.3" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="108"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.4" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="108"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.5" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="110"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.6" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="120"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.7" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="150"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.8" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="152"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.9" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="152"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.10" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="379"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.11" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="153"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.12" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="152"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.13" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="exists_new_watchable_lit&#39;vc.13.0" expl="postcondition" proved="true">
-   <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="0.51" steps="72695"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.14" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.51" steps="72712"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.15" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="383"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.16" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="459"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.17" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="389"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.18" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="exists_new_watchable_lit&#39;vc.18.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.13" steps="405"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.19" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="exists_new_watchable_lit&#39;vc.19.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.12" steps="411"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.20" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.20" steps="878"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="204"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.22" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="205"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.23" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="207"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.24" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="208"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="211"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.26" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="234"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.27" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="244"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.28" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="913"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.29" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="305"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.30" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="625"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.31" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.22" steps="1116"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.32" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="299"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.33" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="299"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.34" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="636"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.35" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="754"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.36" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="316"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.37" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="280"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.38" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="exists_new_watchable_lit&#39;vc.38.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.38" steps="1343"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.39" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="exists_new_watchable_lit&#39;vc.39.0" expl="assertion" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="exists_new_watchable_lit&#39;vc.39.0.0" expl="assertion" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="exists_new_watchable_lit&#39;vc.39.0.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="exists_new_watchable_lit&#39;vc.39.0.0.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-      <transf name="inline_goal" proved="true" >
-       <goal name="exists_new_watchable_lit&#39;vc.39.0.0.0.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-       <proof prover="2" timelimit="30" memlimit="4000"><result status="valid" time="1.16" steps="6677"/></proof>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-     <goal name="exists_new_watchable_lit&#39;vc.39.0.0.1" expl="VC for exists_new_watchable_lit" proved="true">
-     <proof prover="2"><result status="valid" time="1.16" steps="7255"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.40" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="exists_new_watchable_lit&#39;vc.40.0" expl="assertion" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="exists_new_watchable_lit&#39;vc.40.0.0" expl="assertion" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="exists_new_watchable_lit&#39;vc.40.0.0.0" expl="assertion" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="exists_new_watchable_lit&#39;vc.40.0.0.0.0" expl="assertion" proved="true">
-      <transf name="inline_goal" proved="true" >
-       <goal name="exists_new_watchable_lit&#39;vc.40.0.0.0.0.0" expl="assertion" proved="true">
-       <transf name="split_all_full" proved="true" >
-        <goal name="exists_new_watchable_lit&#39;vc.40.0.0.0.0.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-        <proof prover="2"><result status="valid" time="1.02" steps="5590"/></proof>
-        </goal>
-        <goal name="exists_new_watchable_lit&#39;vc.40.0.0.0.0.0.1" expl="VC for exists_new_watchable_lit" proved="true">
-        <transf name="split_vc" proved="true" >
-         <goal name="exists_new_watchable_lit&#39;vc.40.0.0.0.0.0.1.0" expl="VC for exists_new_watchable_lit" proved="true">
-         <transf name="inline_goal" proved="true" >
-          <goal name="exists_new_watchable_lit&#39;vc.40.0.0.0.0.0.1.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-          <transf name="split_all_full" proved="true" >
-           <goal name="exists_new_watchable_lit&#39;vc.40.0.0.0.0.0.1.0.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-           <proof prover="2"><result status="valid" time="0.10" steps="658"/></proof>
-           </goal>
-           <goal name="exists_new_watchable_lit&#39;vc.40.0.0.0.0.0.1.0.0.1" expl="VC for exists_new_watchable_lit" proved="true">
-           <proof prover="2"><result status="valid" time="1.58" steps="9739"/></proof>
-           </goal>
-           <goal name="exists_new_watchable_lit&#39;vc.40.0.0.0.0.0.1.0.0.2" expl="VC for exists_new_watchable_lit" proved="true">
-           <proof prover="2"><result status="valid" time="1.10" steps="6888"/></proof>
-           </goal>
-           <goal name="exists_new_watchable_lit&#39;vc.40.0.0.0.0.0.1.0.0.3" expl="VC for exists_new_watchable_lit" proved="true">
-           <proof prover="2"><result status="valid" time="0.10" steps="658"/></proof>
-           </goal>
-           <goal name="exists_new_watchable_lit&#39;vc.40.0.0.0.0.0.1.0.0.4" expl="VC for exists_new_watchable_lit" proved="true">
-           <proof prover="2"><result status="valid" time="1.55" steps="9737"/></proof>
-           </goal>
-           <goal name="exists_new_watchable_lit&#39;vc.40.0.0.0.0.0.1.0.0.5" expl="VC for exists_new_watchable_lit" proved="true">
-           <proof prover="2"><result status="valid" time="0.94" steps="5383"/></proof>
-           </goal>
-          </transf>
-          </goal>
-         </transf>
-         </goal>
-        </transf>
-        </goal>
-       </transf>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.41" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="exists_new_watchable_lit&#39;vc.41.0" expl="postcondition" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="5.25" steps="39683"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.42" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="exists_new_watchable_lit&#39;vc.42.0" expl="postcondition" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="exists_new_watchable_lit&#39;vc.42.0.0" expl="postcondition" proved="true">
-    <transf name="inline_goal" proved="true" >
-     <goal name="exists_new_watchable_lit&#39;vc.42.0.0.0" expl="postcondition" proved="true">
-     <transf name="split_all_full" proved="true" >
-      <goal name="exists_new_watchable_lit&#39;vc.42.0.0.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-      <transf name="inline_goal" proved="true" >
-       <goal name="exists_new_watchable_lit&#39;vc.42.0.0.0.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-       <transf name="split_all_full" proved="true" >
-        <goal name="exists_new_watchable_lit&#39;vc.42.0.0.0.0.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-        <proof prover="2"><result status="valid" time="0.79" steps="4646"/></proof>
-        </goal>
-        <goal name="exists_new_watchable_lit&#39;vc.42.0.0.0.0.0.1" expl="VC for exists_new_watchable_lit" proved="true">
-        <proof prover="2"><result status="valid" time="0.20" steps="638"/></proof>
-        </goal>
-        <goal name="exists_new_watchable_lit&#39;vc.42.0.0.0.0.0.2" expl="VC for exists_new_watchable_lit" proved="true">
-        <proof prover="2"><result status="valid" time="0.79" steps="4739"/></proof>
-        </goal>
-        <goal name="exists_new_watchable_lit&#39;vc.42.0.0.0.0.0.3" expl="VC for exists_new_watchable_lit" proved="true">
-        <transf name="split_vc" proved="true" >
-         <goal name="exists_new_watchable_lit&#39;vc.42.0.0.0.0.0.3.0" expl="VC for exists_new_watchable_lit" proved="true">
-         <transf name="inline_goal" proved="true" >
-          <goal name="exists_new_watchable_lit&#39;vc.42.0.0.0.0.0.3.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-          <proof prover="2" timelimit="30" memlimit="4000"><result status="valid" time="5.63" steps="46153"/></proof>
-          </goal>
-         </transf>
-         </goal>
-        </transf>
-        </goal>
-        <goal name="exists_new_watchable_lit&#39;vc.42.0.0.0.0.0.4" expl="VC for exists_new_watchable_lit" proved="true">
-        <proof prover="2"><result status="valid" time="0.34" steps="1348"/></proof>
-        </goal>
-        <goal name="exists_new_watchable_lit&#39;vc.42.0.0.0.0.0.5" expl="VC for exists_new_watchable_lit" proved="true">
-        <transf name="split_vc" proved="true" >
-         <goal name="exists_new_watchable_lit&#39;vc.42.0.0.0.0.0.5.0" expl="VC for exists_new_watchable_lit" proved="true">
-         <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="1.58" steps="12632"/></proof>
-         </goal>
-        </transf>
-        </goal>
-        <goal name="exists_new_watchable_lit&#39;vc.42.0.0.0.0.0.6" expl="VC for exists_new_watchable_lit" proved="true">
-        <proof prover="2"><result status="valid" time="0.34" steps="1364"/></proof>
-        </goal>
-        <goal name="exists_new_watchable_lit&#39;vc.42.0.0.0.0.0.7" expl="VC for exists_new_watchable_lit" proved="true">
-        <proof prover="2"><result status="valid" time="0.33" steps="1365"/></proof>
-        </goal>
-        <goal name="exists_new_watchable_lit&#39;vc.42.0.0.0.0.0.8" expl="VC for exists_new_watchable_lit" proved="true">
-        <transf name="split_vc" proved="true" >
-         <goal name="exists_new_watchable_lit&#39;vc.42.0.0.0.0.0.8.0" expl="VC for exists_new_watchable_lit" proved="true">
-         <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="1.81" steps="12549"/></proof>
-         </goal>
-        </transf>
-        </goal>
-       </transf>
-       </goal>
-      </transf>
-      </goal>
-      <goal name="exists_new_watchable_lit&#39;vc.42.0.0.0.1" expl="VC for exists_new_watchable_lit" proved="true">
-      <proof prover="2"><result status="valid" time="0.34" steps="1400"/></proof>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.43" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="exists_new_watchable_lit&#39;vc.43.0" expl="postcondition" proved="true">
-   <proof prover="4"><result status="valid" time="0.79" steps="94004"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.44" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="316"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.45" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.16" steps="316"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.46" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="exists_new_watchable_lit&#39;vc.46.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.14" steps="652"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.47" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="exists_new_watchable_lit&#39;vc.47.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.20" steps="660"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.48" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.22" steps="1166"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.49" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="162"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.50" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="163"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.51" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="164"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.52" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="167"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.53" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="170"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.54" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="188"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.55" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="198"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.56" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="203"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.57" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="244"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.58" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="503"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.59" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="249"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.60" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="249"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.61" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="249"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.62" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="612"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.63" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="263"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.64" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="235"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.65" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="exists_new_watchable_lit&#39;vc.65.0" expl="assertion" proved="true">
-   <proof prover="2"><result status="valid" time="0.35" steps="1250"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.66" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="exists_new_watchable_lit&#39;vc.66.0" expl="assertion" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="exists_new_watchable_lit&#39;vc.66.0.0" expl="assertion" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="exists_new_watchable_lit&#39;vc.66.0.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="exists_new_watchable_lit&#39;vc.66.0.0.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-      <transf name="inline_goal" proved="true" >
-       <goal name="exists_new_watchable_lit&#39;vc.66.0.0.0.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-       <proof prover="2" timelimit="30" memlimit="4000"><result status="valid" time="1.02" steps="7670"/></proof>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-     <goal name="exists_new_watchable_lit&#39;vc.66.0.0.1" expl="VC for exists_new_watchable_lit" proved="true">
-     <proof prover="2"><result status="valid" time="1.11" steps="8364"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.67" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="exists_new_watchable_lit&#39;vc.67.0" expl="assertion" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="exists_new_watchable_lit&#39;vc.67.0.0" expl="assertion" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="exists_new_watchable_lit&#39;vc.67.0.0.0" expl="assertion" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="exists_new_watchable_lit&#39;vc.67.0.0.0.0" expl="assertion" proved="true">
-      <transf name="inline_goal" proved="true" >
-       <goal name="exists_new_watchable_lit&#39;vc.67.0.0.0.0.0" expl="assertion" proved="true">
-       <transf name="split_all_full" proved="true" >
-        <goal name="exists_new_watchable_lit&#39;vc.67.0.0.0.0.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-        <proof prover="2"><result status="valid" time="0.84" steps="6632"/></proof>
-        </goal>
-        <goal name="exists_new_watchable_lit&#39;vc.67.0.0.0.0.0.1" expl="VC for exists_new_watchable_lit" proved="true">
-        <transf name="split_vc" proved="true" >
-         <goal name="exists_new_watchable_lit&#39;vc.67.0.0.0.0.0.1.0" expl="VC for exists_new_watchable_lit" proved="true">
-         <transf name="inline_goal" proved="true" >
-          <goal name="exists_new_watchable_lit&#39;vc.67.0.0.0.0.0.1.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-          <transf name="split_all_full" proved="true" >
-           <goal name="exists_new_watchable_lit&#39;vc.67.0.0.0.0.0.1.0.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-           <proof prover="2"><result status="valid" time="0.13" steps="545"/></proof>
-           </goal>
-           <goal name="exists_new_watchable_lit&#39;vc.67.0.0.0.0.0.1.0.0.1" expl="VC for exists_new_watchable_lit" proved="true">
-           <proof prover="3"><result status="valid" time="0.22" steps="592319"/></proof>
-           <proof prover="4"><result status="valid" time="0.78" steps="101468"/></proof>
-           </goal>
-           <goal name="exists_new_watchable_lit&#39;vc.67.0.0.0.0.0.1.0.0.2" expl="VC for exists_new_watchable_lit" proved="true">
-           <proof prover="2"><result status="valid" time="1.04" steps="6466"/></proof>
-           </goal>
-           <goal name="exists_new_watchable_lit&#39;vc.67.0.0.0.0.0.1.0.0.3" expl="VC for exists_new_watchable_lit" proved="true">
-           <proof prover="2"><result status="valid" time="0.13" steps="545"/></proof>
-           </goal>
-           <goal name="exists_new_watchable_lit&#39;vc.67.0.0.0.0.0.1.0.0.4" expl="VC for exists_new_watchable_lit" proved="true">
-           <proof prover="3"><result status="valid" time="0.22" steps="592329"/></proof>
-           <proof prover="4"><result status="valid" time="0.80" steps="101536"/></proof>
-           </goal>
-           <goal name="exists_new_watchable_lit&#39;vc.67.0.0.0.0.0.1.0.0.5" expl="VC for exists_new_watchable_lit" proved="true">
-           <proof prover="2"><result status="valid" time="0.93" steps="5590"/></proof>
-           </goal>
-          </transf>
-          </goal>
-         </transf>
-         </goal>
-        </transf>
-        </goal>
-       </transf>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.68" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="exists_new_watchable_lit&#39;vc.68.0" expl="postcondition" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="exists_new_watchable_lit&#39;vc.68.0.0" expl="postcondition" proved="true">
-    <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="3.10" steps="21931"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.69" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="exists_new_watchable_lit&#39;vc.69.0" expl="postcondition" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="exists_new_watchable_lit&#39;vc.69.0.0" expl="postcondition" proved="true">
-    <transf name="inline_goal" proved="true" >
-     <goal name="exists_new_watchable_lit&#39;vc.69.0.0.0" expl="postcondition" proved="true">
-     <transf name="split_all_full" proved="true" >
-      <goal name="exists_new_watchable_lit&#39;vc.69.0.0.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-      <transf name="inline_goal" proved="true" >
-       <goal name="exists_new_watchable_lit&#39;vc.69.0.0.0.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-       <transf name="split_all_full" proved="true" >
-        <goal name="exists_new_watchable_lit&#39;vc.69.0.0.0.0.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-        <proof prover="2"><result status="valid" time="0.93" steps="6290"/></proof>
-        </goal>
-        <goal name="exists_new_watchable_lit&#39;vc.69.0.0.0.0.0.1" expl="VC for exists_new_watchable_lit" proved="true">
-        <proof prover="2"><result status="valid" time="0.16" steps="530"/></proof>
-        </goal>
-        <goal name="exists_new_watchable_lit&#39;vc.69.0.0.0.0.0.2" expl="VC for exists_new_watchable_lit" proved="true">
-        <proof prover="2"><result status="valid" time="0.85" steps="5978"/></proof>
-        </goal>
-        <goal name="exists_new_watchable_lit&#39;vc.69.0.0.0.0.0.3" expl="VC for exists_new_watchable_lit" proved="true">
-        <transf name="split_vc" proved="true" >
-         <goal name="exists_new_watchable_lit&#39;vc.69.0.0.0.0.0.3.0" expl="VC for exists_new_watchable_lit" proved="true">
-         <transf name="inline_goal" proved="true" >
-          <goal name="exists_new_watchable_lit&#39;vc.69.0.0.0.0.0.3.0.0" expl="VC for exists_new_watchable_lit" proved="true">
-          <proof prover="2" timelimit="30" memlimit="4000"><result status="valid" time="5.72" steps="44059"/></proof>
-          </goal>
-         </transf>
-         </goal>
-        </transf>
-        </goal>
-        <goal name="exists_new_watchable_lit&#39;vc.69.0.0.0.0.0.4" expl="VC for exists_new_watchable_lit" proved="true">
-        <proof prover="2"><result status="valid" time="0.27" steps="1243"/></proof>
-        </goal>
-        <goal name="exists_new_watchable_lit&#39;vc.69.0.0.0.0.0.5" expl="VC for exists_new_watchable_lit" proved="true">
-        <transf name="split_vc" proved="true" >
-         <goal name="exists_new_watchable_lit&#39;vc.69.0.0.0.0.0.5.0" expl="VC for exists_new_watchable_lit" proved="true">
-         <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="1.93" steps="16136"/></proof>
-         </goal>
-        </transf>
-        </goal>
-        <goal name="exists_new_watchable_lit&#39;vc.69.0.0.0.0.0.6" expl="VC for exists_new_watchable_lit" proved="true">
-        <proof prover="2"><result status="valid" time="0.30" steps="1248"/></proof>
-        </goal>
-        <goal name="exists_new_watchable_lit&#39;vc.69.0.0.0.0.0.7" expl="VC for exists_new_watchable_lit" proved="true">
-        <proof prover="2"><result status="valid" time="0.29" steps="1253"/></proof>
-        </goal>
-        <goal name="exists_new_watchable_lit&#39;vc.69.0.0.0.0.0.8" expl="VC for exists_new_watchable_lit" proved="true">
-        <transf name="split_vc" proved="true" >
-         <goal name="exists_new_watchable_lit&#39;vc.69.0.0.0.0.0.8.0" expl="VC for exists_new_watchable_lit" proved="true">
-         <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="1.59" steps="14417"/></proof>
-         </goal>
-        </transf>
-        </goal>
-       </transf>
-       </goal>
-      </transf>
-      </goal>
-      <goal name="exists_new_watchable_lit&#39;vc.69.0.0.0.1" expl="VC for exists_new_watchable_lit" proved="true">
-      <proof prover="2"><result status="valid" time="0.30" steps="1293"/></proof>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.70" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="exists_new_watchable_lit&#39;vc.70.0" expl="postcondition" proved="true">
-   <proof prover="4"><result status="valid" time="0.79" steps="92449"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.71" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="268"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.72" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="269"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.73" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.31" steps="1209"/></proof>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.74" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="exists_new_watchable_lit&#39;vc.74.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.19" steps="551"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="exists_new_watchable_lit&#39;vc.75" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.31" steps="1052"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_UnitProp_PropagateLitWithRegardToClause" proved="true">
- <goal name="propagate_lit_with_regard_to_clause&#39;vc" expl="VC for propagate_lit_with_regard_to_clause" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="121"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="124"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="940"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="139"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="1218"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="116"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="117"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="118"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="119"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="143"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="159"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="137"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="138"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="144"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="258"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.15" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.81" steps="5887"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.49" steps="3758"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.17" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.53" steps="4127"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.18" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="347"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.19" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="356"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.20" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="358"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.21" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="357"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.22" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.49" steps="3238"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.23" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="395"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.24" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="396"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="190"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.26" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="318"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.27" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="217"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.28" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="219"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.29" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="220"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.30" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="222"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.31" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="229"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.32" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="232"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.33" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="232"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.34" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="374"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.35" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="263"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.36" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="421"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.37" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="282"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.38" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="283"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.39" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.52" steps="1039985"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.40" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.85" steps="6177"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.41" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="propagate_lit_with_regard_to_clause&#39;vc.41.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.18" steps="498"/></proof>
-   </goal>
-   <goal name="propagate_lit_with_regard_to_clause&#39;vc.41.1" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.18" steps="499"/></proof>
-   </goal>
-   <goal name="propagate_lit_with_regard_to_clause&#39;vc.41.2" expl="precondition" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="1.34" steps="10366"/></proof>
-   </goal>
-   <goal name="propagate_lit_with_regard_to_clause&#39;vc.41.3" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.19" steps="500"/></proof>
-   </goal>
-   <goal name="propagate_lit_with_regard_to_clause&#39;vc.41.4" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.18" steps="491"/></proof>
-   </goal>
-   <goal name="propagate_lit_with_regard_to_clause&#39;vc.41.5" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.19" steps="492"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.42" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="1.08" steps="129494"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.43" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.23" steps="1632"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.44" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.23" steps="1647"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.45" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="1.02" steps="7497"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.46" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.34" steps="1462"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.47" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="453"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.48" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="466"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.49" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="468"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.50" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="469"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.51" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.40" steps="1787"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.52" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.25" steps="508"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.53" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.31" steps="1206"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.54" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.56" steps="4206"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.55" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="179"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.56" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.43" steps="2820"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.57" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="propagate_lit_with_regard_to_clause&#39;vc.57.0" expl="assertion" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="propagate_lit_with_regard_to_clause&#39;vc.57.0.0" expl="assertion" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="propagate_lit_with_regard_to_clause&#39;vc.57.0.0.0" expl="assertion" proved="true">
-     <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="4.38" steps="41021"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.58" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="211"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.59" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="213"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.60" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.30" steps="779843"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.61" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.59" steps="4223"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.62" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.79" steps="5973"/></proof>
-  <proof prover="4"><result status="valid" time="1.11" steps="123726"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.63" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.33" steps="877245"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.64" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.31" steps="1329"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.65" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.33" steps="1344"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.66" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.79" steps="5600"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.67" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.22" steps="1226"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.68" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="349"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.69" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="propagate_lit_with_regard_to_clause&#39;vc.69.0" expl="postcondition" proved="true">
-   <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="0.97" steps="122651"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.70" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="362"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.71" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="364"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.72" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.36" steps="1553"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.73" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="398"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.74" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="399"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.75" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="346"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.76" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="propagate_lit_with_regard_to_clause&#39;vc.76.0" expl="postcondition" proved="true">
-   <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="0.81" steps="99473"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.77" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="357"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.78" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="356"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.79" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.32" steps="1434"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.80" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="388"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.81" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="389"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.82" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="219"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.83" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="226"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.84" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="228"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.85" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="228"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.86" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.27" steps="697"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.87" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="251"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.88" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="253"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.89" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="104"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.90" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.20" steps="1861"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.91" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="119"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.92" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="155"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.93" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="176"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.94" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="289"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.95" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="296"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.96" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="propagate_lit_with_regard_to_clause&#39;vc.96.0" expl="postcondition" proved="true">
-   <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.62" steps="184680"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.97" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="299"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.98" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.19" steps="961"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.99" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="324"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.100" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.21" steps="754"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.101" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="86"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.102" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.16" steps="1334"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.103" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="101"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.104" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="141"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.105" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="166"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.106" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="274"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.107" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="282"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.108" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="propagate_lit_with_regard_to_clause&#39;vc.108.0" expl="postcondition" proved="true">
-   <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="1.60" steps="181738"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.109" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="284"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.110" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.23" steps="915"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.111" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="310"/></proof>
-  </goal>
-  <goal name="propagate_lit_with_regard_to_clause&#39;vc.112" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.21" steps="735"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_UnitProp_PropagateLiteral" proved="true">
- <goal name="propagate_literal&#39;vc" expl="VC for propagate_literal" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="propagate_literal&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="44"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.1" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="254"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.2" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="69"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.3" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="70"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.4" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="73"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.5" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="76"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.6" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="230"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.7" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="78"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.8" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="80"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.9" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="83"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.10" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="86"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.11" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="86"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.12" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="86"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="125"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.14" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="239"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.15" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="246"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.16" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="248"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.17" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="266"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.18" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="265"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.19" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="268"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="143"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="155"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.22" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.29" steps="1675"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.23" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="189"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.24" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="191"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="192"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.26" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="220"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.27" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="247"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.28" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="229"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.29" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="231"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.30" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.37" steps="2069"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.31" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.36" steps="2317"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.32" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="212"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.33" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.22" steps="877"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.34" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="217"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.35" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.20" steps="787"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.36" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="219"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.37" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="221"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.38" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="223"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.39" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="227"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.40" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="227"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.41" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="227"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.42" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.20" steps="1012"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.43" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="220"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.44" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.21" steps="921"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.45" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="225"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.46" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.20" steps="827"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.47" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="228"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.48" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="230"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.49" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="233"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.50" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="235"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.51" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="235"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.52" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="235"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.53" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="373"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.54" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="384"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.55" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="386"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.56" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.39" steps="2018"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.57" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.15" steps="411"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.58" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.23" steps="877"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.59" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.16" steps="797"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.60" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="181"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.61" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.20" steps="181"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.62" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="181"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.63" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="181"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.64" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="181"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.65" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="181"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.66" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="181"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.67" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="181"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.68" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="181"/></proof>
-  </goal>
-  <goal name="propagate_literal&#39;vc.69" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="181"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_UnitProp_UnitPropagate" proved="true">
- <goal name="unit_propagate&#39;vc" expl="VC for unit_propagate" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="unit_propagate&#39;vc.0" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="44"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.1" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="45"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.2" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="46"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.3" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="47"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.4" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="105"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.5" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="50"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.6" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="53"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.7" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="53"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.8" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="53"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.9" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="128"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.10" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="unit_propagate&#39;vc.10.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.34" steps="2160"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="unit_propagate&#39;vc.11" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="136"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.12" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="149"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.13" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="147"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.14" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="148"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="82"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="103"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.17" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="104"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.18" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="106"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="107"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="1045"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.21" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="452"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.22" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="127"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.23" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="128"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.24" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="465"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.25" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="132"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.26" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="388"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.27" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="135"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.28" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="136"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.29" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="137"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.30" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="137"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.31" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="192"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.32" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="200"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.33" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="unit_propagate&#39;vc.33.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.11" steps="201"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="unit_propagate&#39;vc.34" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.19" steps="1149"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.35" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="218"/></proof>
-  </goal>
-  <goal name="unit_propagate&#39;vc.36" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="427"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Solver_Impl0_UnitPropStep" proved="true">
- <goal name="unit_prop_step&#39;vc" expl="VC for unit_prop_step" proved="true">
- <proof prover="4"><result status="valid" time="0.70" steps="105258"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Solver_Impl0_UnitPropLoop" proved="true">
- <goal name="unit_prop_loop&#39;vc" expl="VC for unit_prop_loop" proved="true">
- <proof prover="2"><result status="valid" time="1.03" steps="5336"/></proof>
- </goal>
-</theory>
-<theory name="CreuSat_Trail_Impl0_EnqDecision" proved="true">
- <goal name="enq_decision&#39;vc" expl="VC for enq_decision" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="enq_decision&#39;vc.0" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_decision&#39;vc.0.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.06" steps="427"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_decision&#39;vc.1" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_decision&#39;vc.1.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.06" steps="542"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_decision&#39;vc.2" expl="integer overflow" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_decision&#39;vc.2.0" expl="integer overflow" proved="true">
-   <proof prover="2"><result status="valid" time="0.05" steps="349"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_decision&#39;vc.3" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_decision&#39;vc.3.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.08" steps="697"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_decision&#39;vc.4" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_decision&#39;vc.4.0" expl="assertion" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="enq_decision&#39;vc.4.0.0" expl="assertion" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="enq_decision&#39;vc.4.0.0.0" expl="assertion" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="enq_decision&#39;vc.4.0.0.0.0" expl="assertion" proved="true">
-      <transf name="inline_goal" proved="true" >
-       <goal name="enq_decision&#39;vc.4.0.0.0.0.0" expl="assertion" proved="true">
-       <transf name="split_all_full" proved="true" >
-        <goal name="enq_decision&#39;vc.4.0.0.0.0.0.0" expl="assertion" proved="true">
-        <transf name="split_vc" proved="true" >
-         <goal name="enq_decision&#39;vc.4.0.0.0.0.0.0.0" expl="assertion" proved="true">
-         <transf name="inline_goal" proved="true" >
-          <goal name="enq_decision&#39;vc.4.0.0.0.0.0.0.0.0" expl="assertion" proved="true">
-          <proof prover="2" timelimit="30" memlimit="4000"><result status="valid" time="9.99" steps="79877"/></proof>
-          </goal>
-         </transf>
-         </goal>
-        </transf>
-        </goal>
-       </transf>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_decision&#39;vc.5" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_decision&#39;vc.5.0" expl="assertion" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="enq_decision&#39;vc.5.0.0" expl="assertion" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="enq_decision&#39;vc.5.0.0.0" expl="assertion" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="enq_decision&#39;vc.5.0.0.0.0" expl="assertion" proved="true">
-      <transf name="inline_goal" proved="true" >
-       <goal name="enq_decision&#39;vc.5.0.0.0.0.0" expl="assertion" proved="true">
-       <transf name="split_all_full" proved="true" >
-        <goal name="enq_decision&#39;vc.5.0.0.0.0.0.0" expl="VC for enq_decision" proved="true">
-        <proof prover="2"><result status="valid" time="0.74" steps="5265"/></proof>
-        </goal>
-        <goal name="enq_decision&#39;vc.5.0.0.0.0.0.1" expl="VC for enq_decision" proved="true">
-        <transf name="split_vc" proved="true" >
-         <goal name="enq_decision&#39;vc.5.0.0.0.0.0.1.0" expl="VC for enq_decision" proved="true">
-         <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="2.80" steps="26215"/></proof>
-         </goal>
-        </transf>
-        </goal>
-        <goal name="enq_decision&#39;vc.5.0.0.0.0.0.2" expl="VC for enq_decision" proved="true">
-        <transf name="split_vc" proved="true" >
-         <goal name="enq_decision&#39;vc.5.0.0.0.0.0.2.0" expl="VC for enq_decision" proved="true">
-         <transf name="inline_goal" proved="true" >
-          <goal name="enq_decision&#39;vc.5.0.0.0.0.0.2.0.0" expl="VC for enq_decision" proved="true">
-          <transf name="split_all_full" proved="true" >
-           <goal name="enq_decision&#39;vc.5.0.0.0.0.0.2.0.0.0" expl="VC for enq_decision" proved="true">
-           <transf name="split_vc" proved="true" >
-            <goal name="enq_decision&#39;vc.5.0.0.0.0.0.2.0.0.0.0" expl="VC for enq_decision" proved="true">
-            <transf name="inline_goal" proved="true" >
-             <goal name="enq_decision&#39;vc.5.0.0.0.0.0.2.0.0.0.0.0" expl="VC for enq_decision" proved="true">
-             <proof prover="2" timelimit="30" memlimit="4000"><result status="valid" time="22.77" steps="206180"/></proof>
-             </goal>
-            </transf>
-            </goal>
-           </transf>
-           </goal>
-           <goal name="enq_decision&#39;vc.5.0.0.0.0.0.2.0.0.1" expl="VC for enq_decision" proved="true">
-           <transf name="split_vc" proved="true" >
-            <goal name="enq_decision&#39;vc.5.0.0.0.0.0.2.0.0.1.0" expl="VC for enq_decision" proved="true">
-            <transf name="inline_goal" proved="true" >
-             <goal name="enq_decision&#39;vc.5.0.0.0.0.0.2.0.0.1.0.0" expl="VC for enq_decision" proved="true">
-             <proof prover="2" timelimit="30" memlimit="4000"><result status="valid" time="18.39" steps="167076"/></proof>
-             </goal>
-            </transf>
-            </goal>
-           </transf>
-           </goal>
-          </transf>
-          </goal>
-         </transf>
-         </goal>
-        </transf>
-        </goal>
-       </transf>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_decision&#39;vc.6" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_decision&#39;vc.6.0" expl="assertion" proved="true">
-   <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="3.28" steps="25302"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_decision&#39;vc.7" expl="assertion" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_decision&#39;vc.7.0" expl="assertion" proved="true">
-   <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="2.42" steps="230764"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_decision&#39;vc.8" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_decision&#39;vc.8.0" expl="postcondition" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="enq_decision&#39;vc.8.0.0" expl="postcondition" proved="true">
-    <transf name="split_all_full" proved="true" >
-     <goal name="enq_decision&#39;vc.8.0.0.0" expl="VC for enq_decision" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="enq_decision&#39;vc.8.0.0.0.0" expl="VC for enq_decision" proved="true">
-      <transf name="inline_goal" proved="true" >
-       <goal name="enq_decision&#39;vc.8.0.0.0.0.0" expl="VC for enq_decision" proved="true">
-       <transf name="split_all_full" proved="true" >
-        <goal name="enq_decision&#39;vc.8.0.0.0.0.0.0" expl="VC for enq_decision" proved="true">
-        <proof prover="2"><result status="valid" time="0.15" steps="1790"/></proof>
-        </goal>
-        <goal name="enq_decision&#39;vc.8.0.0.0.0.0.1" expl="VC for enq_decision" proved="true">
-        <transf name="split_vc" proved="true" >
-         <goal name="enq_decision&#39;vc.8.0.0.0.0.0.1.0" expl="VC for enq_decision" proved="true">
-         <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="4.67" steps="36363"/></proof>
-         </goal>
-        </transf>
-        </goal>
-        <goal name="enq_decision&#39;vc.8.0.0.0.0.0.2" expl="VC for enq_decision" proved="true">
-        <proof prover="2"><result status="valid" time="0.13" steps="1192"/></proof>
-        </goal>
-        <goal name="enq_decision&#39;vc.8.0.0.0.0.0.3" expl="VC for enq_decision" proved="true">
-        <proof prover="2"><result status="valid" time="0.07" steps="316"/></proof>
-        </goal>
-        <goal name="enq_decision&#39;vc.8.0.0.0.0.0.4" expl="VC for enq_decision" proved="true">
-        <proof prover="2"><result status="valid" time="0.06" steps="305"/></proof>
-        </goal>
-        <goal name="enq_decision&#39;vc.8.0.0.0.0.0.5" expl="VC for enq_decision" proved="true">
-        <proof prover="2"><result status="valid" time="0.05" steps="321"/></proof>
-        </goal>
-        <goal name="enq_decision&#39;vc.8.0.0.0.0.0.6" expl="VC for enq_decision" proved="true">
-        <proof prover="2"><result status="valid" time="0.06" steps="307"/></proof>
-        </goal>
-        <goal name="enq_decision&#39;vc.8.0.0.0.0.0.7" expl="VC for enq_decision" proved="true">
-        <transf name="split_vc" proved="true" >
-         <goal name="enq_decision&#39;vc.8.0.0.0.0.0.7.0" expl="VC for enq_decision" proved="true">
-         <transf name="inline_goal" proved="true" >
-          <goal name="enq_decision&#39;vc.8.0.0.0.0.0.7.0.0" expl="VC for enq_decision" proved="true">
-          <proof prover="2" timelimit="30" memlimit="4000"><result status="valid" time="1.54" steps="15044"/></proof>
-          </goal>
-         </transf>
-         </goal>
-        </transf>
-        </goal>
-        <goal name="enq_decision&#39;vc.8.0.0.0.0.0.8" expl="VC for enq_decision" proved="true">
-        <transf name="split_vc" proved="true" >
-         <goal name="enq_decision&#39;vc.8.0.0.0.0.0.8.0" expl="VC for enq_decision" proved="true">
-         <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="6.54" steps="61535"/></proof>
-         </goal>
-        </transf>
-        </goal>
-       </transf>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-     <goal name="enq_decision&#39;vc.8.0.0.1" expl="VC for enq_decision" proved="true">
-     <proof prover="2"><result status="valid" time="0.26" steps="1547"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_decision&#39;vc.9" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_decision&#39;vc.9.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.10" steps="815"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_decision&#39;vc.10" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_decision&#39;vc.10.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.15" steps="1723"/></proof>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="enq_decision&#39;vc.11" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="228"/></proof>
-  </goal>
-  <goal name="enq_decision&#39;vc.12" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="enq_decision&#39;vc.12.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.06" steps="327"/></proof>
-   </goal>
-  </transf>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Solver_Impl0_OuterLoop" proved="true">
- <goal name="outer_loop&#39;vc" expl="VC for outer_loop" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="outer_loop&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="71"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="72"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="74"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="77"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="79"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.5" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="130"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.6" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="138"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.7" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="140"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.8" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="143"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.9" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="148"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.10" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="151"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.11" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.17" steps="540"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.12" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="133"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.13" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="141"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.14" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="143"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.15" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="146"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.16" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="152"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.17" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="153"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.18" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.18" steps="607"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.19" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="96"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.20" expl="division by zero" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="97"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.21" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="137"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.22" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="131"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.23" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.21" steps="451"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.24" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="149"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.16" steps="728"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.26" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="230"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.27" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="241"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.28" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="242"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.29" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="246"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.30" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="256"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.31" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.22" steps="257"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.32" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.23" steps="956"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.33" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="233"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.34" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="245"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.35" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="247"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.36" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="251"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.37" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="260"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.38" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="263"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.39" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.19" steps="584"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.40" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="149"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.41" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="151"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.42" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.25" steps="1164"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.43" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="295"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.44" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.17" steps="704"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.45" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="257"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.46" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="270"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.47" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="272"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.48" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="275"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.49" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="286"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.50" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.18" steps="288"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.51" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.30" steps="1055"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.52" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.53" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.54" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.55" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.56" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.57" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.58" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.59" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.60" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.61" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.62" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.63" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.64" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.65" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.66" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.67" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.68" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.69" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.70" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.71" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.72" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.73" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.74" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.75" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.76" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.77" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.78" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.79" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.18" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.80" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.81" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.82" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.83" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.84" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.85" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.86" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.87" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.88" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.89" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.90" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.91" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.92" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.93" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.94" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.95" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.96" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.97" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.98" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.99" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.100" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.101" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.102" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.103" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.104" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.105" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.106" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.107" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.20" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.108" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.109" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.110" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.111" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.112" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.113" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.114" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.115" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.116" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.117" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.118" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.119" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.120" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.121" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.122" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.123" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.124" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.125" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.126" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.127" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="115"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.128" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="142"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.129" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.19" steps="514"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.130" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="160"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.131" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.22" steps="820"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.132" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="258"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.133" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="269"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.134" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="271"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.135" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="275"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.136" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="285"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.137" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="288"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.138" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.28" steps="1032"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.139" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="262"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.140" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="275"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.141" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="276"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.142" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="279"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.143" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="291"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.144" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="292"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.145" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.18" steps="638"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.146" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="162"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.147" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="163"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.148" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.24" steps="1272"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.149" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="330"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.150" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="781"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.151" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="288"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.152" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="301"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.153" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="303"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.154" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="307"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.155" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="319"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.156" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="320"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.157" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.18" steps="1137"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.158" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="152"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.159" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="155"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.160" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="156"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.161" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="159"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.162" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="604"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.163" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="176"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.164" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="685"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.165" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="194"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.166" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.16" steps="1182"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.167" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="341"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.168" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="355"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.169" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="355"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.170" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="359"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.171" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="373"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.172" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="375"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.173" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.24" steps="1356"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.174" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="345"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.175" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="359"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.176" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="361"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.177" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="365"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.178" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="378"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.179" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="380"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.180" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.21" steps="847"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.181" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="194"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.182" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="196"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.183" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.59" steps="1751"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.184" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="428"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.185" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="217"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.186" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="380"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.187" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="396"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.188" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="398"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.189" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="401"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.190" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="416"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.191" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="419"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.192" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.19" steps="1442"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.193" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="151"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.194" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="152"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.195" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="154"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.196" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="155"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.197" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="155"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.198" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="155"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.199" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="174"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.200" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="177"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.201" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="179"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.202" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="182"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.203" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.17" steps="682"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.204" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="199"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.205" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="757"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.206" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="218"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.207" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.26" steps="1277"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.208" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="370"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.209" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="383"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.210" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="385"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.211" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="389"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.212" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="404"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.213" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.21" steps="763"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.214" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.35" steps="1487"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.215" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="374"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.216" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="389"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.217" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="391"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.218" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="394"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.219" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="408"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.220" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.21" steps="770"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.221" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.20" steps="904"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.222" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="219"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.223" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="220"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.224" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.50" steps="1890"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.225" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="460"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.226" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="240"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.227" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="410"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.228" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="426"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.229" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="427"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.230" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="430"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.231" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="446"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.232" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.23" steps="815"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.233" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.46" steps="1562"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.234" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="108"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.235" expl="division by zero" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="109"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.236" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="225"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.237" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="827"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.238" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="145"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.239" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.15" steps="742"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.240" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="163"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.241" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.18" steps="1080"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.242" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="311"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.243" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="324"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.244" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="326"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.245" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="330"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.246" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="342"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.247" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.15" steps="344"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.248" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.30" steps="1362"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.249" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="315"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.250" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="329"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.251" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="331"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.252" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="334"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.253" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="347"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.254" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="349"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.255" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.20" steps="822"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.256" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="164"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.257" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="165"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.258" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.36" steps="2011"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.259" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="392"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.260" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.23" steps="1033"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.261" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="343"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.262" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="358"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.263" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="360"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.264" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="364"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.265" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="378"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.266" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="379"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.267" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.21" steps="1483"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.268" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.269" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.270" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.271" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.272" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.273" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.274" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.275" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.276" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.277" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.278" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.279" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.280" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.281" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.282" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.283" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.284" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.285" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.286" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.287" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.288" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.289" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.290" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.291" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.292" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.293" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.294" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.295" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.13" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.296" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.297" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.298" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.299" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.300" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.301" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.302" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.303" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.304" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.305" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.306" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.307" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.308" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.309" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.310" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.311" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.312" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.313" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.314" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.315" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.316" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.317" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.318" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.319" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.320" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.321" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.322" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.323" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.324" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.325" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.326" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.327" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.328" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.329" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.330" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.331" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.332" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.333" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.334" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.335" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.336" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.337" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.338" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.339" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.340" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.341" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.342" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.343" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="129"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.344" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="156"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.345" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.12" steps="838"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.346" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="173"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.347" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.15" steps="1203"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.348" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="344"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.349" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="358"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.350" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="360"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.351" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="364"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.352" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="377"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.353" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="379"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.354" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.18" steps="1492"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.355" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="348"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.356" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="363"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.357" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="364"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.358" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="367"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.359" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="382"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.360" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="384"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.361" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.20" steps="915"/></proof>
-  </goal>
-  <goal name="outer_loop&#39;vc.362" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="175"/></proof>
+<theory name="CreuSat_Decision_Impl0" proved="true">
+ <goal name="Default1.default&#39;refn&#39;vc" expl="VC for default&#39;refn" proved="true">
+ <proof prover="2"><result status="valid" time="0.01" steps="20"/></proof>
+ </goal>
+</theory>
+<theory name="CreuSat_Solver_GetAssertingLevel" proved="true">
+ <goal name="get_asserting_level&#39;vc" expl="VC for get_asserting_level" proved="true">
+ <proof prover="2"><result status="valid" time="0.12" steps="4064"/></proof>
+ </goal>
+</theory>
+<theory name="CreuSat_Assignments_Impl1" proved="true">
+ <goal name="IndexMut1.index_mut&#39;refn&#39;vc" expl="VC for index_mut&#39;refn" proved="true">
+ <proof prover="2"><result status="valid" time="0.01" steps="20"/></proof>
+ </goal>
+</theory>
+<theory name="CreuSat_Solver_Impl0_HandleLongClause">
+ <goal name="handle_long_clause&#39;vc" expl="VC for handle_long_clause">
+ <transf name="split_vc" >
+  <goal name="handle_long_clause&#39;vc.0" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="90"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.363" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="176"/></proof>
+  <goal name="handle_long_clause&#39;vc.1" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="86"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.364" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.61" steps="2229"/></proof>
+  <goal name="handle_long_clause&#39;vc.2" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.08" steps="62"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.365" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="432"/></proof>
+  <goal name="handle_long_clause&#39;vc.3" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="97"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.366" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.26" steps="1150"/></proof>
+  <goal name="handle_long_clause&#39;vc.4" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="72"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.367" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="379"/></proof>
+  <goal name="handle_long_clause&#39;vc.5" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="73"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.368" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="394"/></proof>
+  <goal name="handle_long_clause&#39;vc.6" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="112"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.369" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="396"/></proof>
+  <goal name="handle_long_clause&#39;vc.7" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="76"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.370" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="399"/></proof>
+  <goal name="handle_long_clause&#39;vc.8" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="128"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.371" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="415"/></proof>
+  <goal name="handle_long_clause&#39;vc.9" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="292"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.372" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="418"/></proof>
+  <goal name="handle_long_clause&#39;vc.10" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="132"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.373" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.32" steps="1621"/></proof>
+  <goal name="handle_long_clause&#39;vc.11" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="140"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.374" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="166"/></proof>
+  <goal name="handle_long_clause&#39;vc.12" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="141"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.375" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="169"/></proof>
+  <goal name="handle_long_clause&#39;vc.13" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="92"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.376" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="170"/></proof>
+  <goal name="handle_long_clause&#39;vc.14" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="93"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.377" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="173"/></proof>
+  <goal name="handle_long_clause&#39;vc.15" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.09" steps="709"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.378" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.20" steps="951"/></proof>
+  <goal name="handle_long_clause&#39;vc.16" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="115"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.379" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="190"/></proof>
+  <goal name="handle_long_clause&#39;vc.17" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="116"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.380" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.24" steps="1049"/></proof>
+  <goal name="handle_long_clause&#39;vc.18" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="117"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.381" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="207"/></proof>
+  <goal name="handle_long_clause&#39;vc.19" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="119"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.382" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.30" steps="1640"/></proof>
+  <goal name="handle_long_clause&#39;vc.20" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="182"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.383" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="440"/></proof>
+  <goal name="handle_long_clause&#39;vc.21" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="128"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.384" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="456"/></proof>
+  <goal name="handle_long_clause&#39;vc.22" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="132"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.385" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="458"/></proof>
+  <goal name="handle_long_clause&#39;vc.23" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="187"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.386" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="461"/></proof>
+  <goal name="handle_long_clause&#39;vc.24" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="238"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.387" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="478"/></proof>
+  <goal name="handle_long_clause&#39;vc.25" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="239"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.388" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="479"/></proof>
+  <goal name="handle_long_clause&#39;vc.26" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="242"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.389" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.35" steps="1887"/></proof>
+  <goal name="handle_long_clause&#39;vc.27" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.11" steps="653"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.390" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="443"/></proof>
+  <goal name="handle_long_clause&#39;vc.28" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.07" steps="358"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.391" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="460"/></proof>
+  <goal name="handle_long_clause&#39;vc.29" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.08" steps="361"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.392" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="461"/></proof>
+  <goal name="handle_long_clause&#39;vc.30" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.10" steps="398"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.393" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="465"/></proof>
+  <goal name="handle_long_clause&#39;vc.31" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.13" steps="426"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.394" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="482"/></proof>
+  <goal name="handle_long_clause&#39;vc.32" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.17" steps="912"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.395" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="484"/></proof>
+  <goal name="handle_long_clause&#39;vc.33" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.11" steps="436"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.396" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.27" steps="1176"/></proof>
+  <goal name="handle_long_clause&#39;vc.34" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.03" steps="302"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.397" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="208"/></proof>
+  <goal name="handle_long_clause&#39;vc.35" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.08" steps="303"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.398" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="209"/></proof>
+  <goal name="handle_long_clause&#39;vc.36" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.26" steps="2887"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.399" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.99" steps="2896"/></proof>
+  <goal name="handle_long_clause&#39;vc.37" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.35" steps="4029"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.400" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="543"/></proof>
+  <goal name="handle_long_clause&#39;vc.38" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.51" steps="5587"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.401" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="232"/></proof>
+  <goal name="handle_long_clause&#39;vc.39" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.55" steps="6740"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.402" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="484"/></proof>
+  <goal name="handle_long_clause&#39;vc.40" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.27" steps="1327"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.403" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="502"/></proof>
+  <goal name="handle_long_clause&#39;vc.41" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.07" steps="324"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.404" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="504"/></proof>
+  <goal name="handle_long_clause&#39;vc.42" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.405" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="507"/></proof>
+  <goal name="handle_long_clause&#39;vc.43" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.406" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="525"/></proof>
+  <goal name="handle_long_clause&#39;vc.44" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.407" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="527"/></proof>
+  <goal name="handle_long_clause&#39;vc.45" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.408" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.38" steps="1992"/></proof>
+  <goal name="handle_long_clause&#39;vc.46" expl="postcondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.10" steps="574"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.409" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="165"/></proof>
+  <goal name="handle_long_clause&#39;vc.47" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.410" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="166"/></proof>
+ </transf>
+ </goal>
+</theory>
+<theory name="CreuSat_Solver_Impl0_HandleConflict">
+ <goal name="handle_conflict&#39;vc" expl="VC for handle_conflict">
+ <transf name="split_vc" >
+  <goal name="handle_conflict&#39;vc.0" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="54"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.411" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="167"/></proof>
+  <goal name="handle_conflict&#39;vc.1" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="88"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.412" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="168"/></proof>
+  <goal name="handle_conflict&#39;vc.2" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="57"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.413" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="168"/></proof>
+  <goal name="handle_conflict&#39;vc.3" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="59"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.414" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="169"/></proof>
+  <goal name="handle_conflict&#39;vc.4" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="64"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.415" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="188"/></proof>
+  <goal name="handle_conflict&#39;vc.5" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="66"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.416" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="191"/></proof>
+  <goal name="handle_conflict&#39;vc.6" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="68"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.417" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="192"/></proof>
+  <goal name="handle_conflict&#39;vc.7" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="69"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.418" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="196"/></proof>
+  <goal name="handle_conflict&#39;vc.8" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="120"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.419" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="1034"/></proof>
+  <goal name="handle_conflict&#39;vc.9" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="130"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.420" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="213"/></proof>
+  <goal name="handle_conflict&#39;vc.10" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="77"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.421" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="1129"/></proof>
+  <goal name="handle_conflict&#39;vc.11" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="135"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.422" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="232"/></proof>
+  <goal name="handle_conflict&#39;vc.12" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="129"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.423" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.34" steps="1746"/></proof>
+  <goal name="handle_conflict&#39;vc.13" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="139"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.424" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="469"/></proof>
+  <goal name="handle_conflict&#39;vc.14" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="113"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.425" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.17" steps="486"/></proof>
+  <goal name="handle_conflict&#39;vc.15" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="116"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.426" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.17" steps="487"/></proof>
+  <goal name="handle_conflict&#39;vc.16" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="119"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.427" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="491"/></proof>
+  <goal name="handle_conflict&#39;vc.17" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="122"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.428" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.17" steps="508"/></proof>
+  <goal name="handle_conflict&#39;vc.18" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="126"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.429" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.23" steps="1065"/></proof>
+  <goal name="handle_conflict&#39;vc.19" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.13" steps="846"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.430" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.55" steps="2013"/></proof>
+  <goal name="handle_conflict&#39;vc.20" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.09" steps="497"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.431" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="474"/></proof>
+  <goal name="handle_conflict&#39;vc.21" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="147"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.432" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="490"/></proof>
+  <goal name="handle_conflict&#39;vc.22" expl="precondition">
+  <transf name="split_vc" >
+   <goal name="handle_conflict&#39;vc.22.0" expl="precondition">
+   <proof prover="2"><result status="timeout" time="1.00"/></proof>
+   <proof prover="3"><result status="timeout" time="1.00"/></proof>
+   <proof prover="4"><undone/></proof>
+   </goal>
+  </transf>
   </goal>
-  <goal name="outer_loop&#39;vc.433" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="491"/></proof>
+  <goal name="handle_conflict&#39;vc.23" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="149"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.434" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="495"/></proof>
+  <goal name="handle_conflict&#39;vc.24" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="150"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.435" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="512"/></proof>
+  <goal name="handle_conflict&#39;vc.25" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="150"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.436" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.26" steps="1076"/></proof>
+  <goal name="handle_conflict&#39;vc.26" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="150"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.437" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.35" steps="1233"/></proof>
+  <goal name="handle_conflict&#39;vc.27" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.09" steps="167"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.438" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="232"/></proof>
+  <goal name="handle_conflict&#39;vc.28" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.08" steps="168"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.439" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="233"/></proof>
+  <goal name="handle_conflict&#39;vc.29" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.07" steps="169"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.440" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.21" steps="508103"/></proof>
+  <goal name="handle_conflict&#39;vc.30" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.07" steps="171"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.441" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="574"/></proof>
+  <goal name="handle_conflict&#39;vc.31" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.07" steps="87"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.442" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="255"/></proof>
+  <goal name="handle_conflict&#39;vc.32" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="88"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.443" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="514"/></proof>
+  <goal name="handle_conflict&#39;vc.33" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="90"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.444" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="532"/></proof>
+  <goal name="handle_conflict&#39;vc.34" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="92"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.445" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="533"/></proof>
+  <goal name="handle_conflict&#39;vc.35" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="95"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.446" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.19" steps="537"/></proof>
+  <goal name="handle_conflict&#39;vc.36" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="148"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.447" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="555"/></proof>
+  <goal name="handle_conflict&#39;vc.37" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="150"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.448" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.28" steps="1129"/></proof>
+  <goal name="handle_conflict&#39;vc.38" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="199"/></proof>
   </goal>
-  <goal name="outer_loop&#39;vc.449" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.55" steps="2117"/></proof>
+  <goal name="handle_conflict&#39;vc.39" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="204"/></proof>
   </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Solver_Impl0_Inner" proved="true">
- <goal name="inner&#39;vc" expl="VC for inner" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="inner&#39;vc.0" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="105"/></proof>
+  <goal name="handle_conflict&#39;vc.40" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="74"/></proof>
   </goal>
-  <goal name="inner&#39;vc.1" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="46"/></proof>
+  <goal name="handle_conflict&#39;vc.41" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.07" steps="75"/></proof>
   </goal>
-  <goal name="inner&#39;vc.2" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="47"/></proof>
+  <goal name="handle_conflict&#39;vc.42" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="76"/></proof>
   </goal>
-  <goal name="inner&#39;vc.3" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="49"/></proof>
+  <goal name="handle_conflict&#39;vc.43" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="128"/></proof>
   </goal>
-  <goal name="inner&#39;vc.4" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="50"/></proof>
+  <goal name="handle_conflict&#39;vc.44" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="79"/></proof>
   </goal>
-  <goal name="inner&#39;vc.5" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="52"/></proof>
+  <goal name="handle_conflict&#39;vc.45" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="136"/></proof>
   </goal>
-  <goal name="inner&#39;vc.6" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="52"/></proof>
+  <goal name="handle_conflict&#39;vc.46" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="138"/></proof>
   </goal>
-  <goal name="inner&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="97"/></proof>
+  <goal name="handle_conflict&#39;vc.47" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="117"/></proof>
   </goal>
-  <goal name="inner&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="98"/></proof>
+  <goal name="handle_conflict&#39;vc.48" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="118"/></proof>
   </goal>
-  <goal name="inner&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="99"/></proof>
+  <goal name="handle_conflict&#39;vc.49" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="122"/></proof>
   </goal>
-  <goal name="inner&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="102"/></proof>
+  <goal name="handle_conflict&#39;vc.50" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.10" steps="442"/></proof>
   </goal>
-  <goal name="inner&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="105"/></proof>
+  <goal name="handle_conflict&#39;vc.51" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
-  <goal name="inner&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="105"/></proof>
+  <goal name="handle_conflict&#39;vc.52" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
-  <goal name="inner&#39;vc.13" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="inner&#39;vc.13.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.19" steps="1392"/></proof>
-   </goal>
-   <goal name="inner&#39;vc.13.1" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.05" steps="315"/></proof>
+  <goal name="handle_conflict&#39;vc.53" expl="postcondition">
+  <transf name="split_vc" >
+   <goal name="handle_conflict&#39;vc.53.0" expl="postcondition">
+   <proof prover="2"><result status="timeout" time="1.00"/></proof>
+   <proof prover="3"><result status="timeout" time="1.00"/></proof>
+   <proof prover="4"><undone/></proof>
    </goal>
-   <goal name="inner&#39;vc.13.2" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.19" steps="1584"/></proof>
-   </goal>
-   <goal name="inner&#39;vc.13.3" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.07" steps="169"/></proof>
-   </goal>
-   <goal name="inner&#39;vc.13.4" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.06" steps="171"/></proof>
+   <goal name="handle_conflict&#39;vc.53.1" expl="postcondition">
+   <proof prover="2"><result status="timeout" time="1.00"/></proof>
+   <proof prover="3"><result status="timeout" time="1.00"/></proof>
+   <proof prover="4"><undone/></proof>
    </goal>
   </transf>
   </goal>
-  <goal name="inner&#39;vc.14" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="168"/></proof>
-  </goal>
-  <goal name="inner&#39;vc.15" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="271"/></proof>
-  </goal>
-  <goal name="inner&#39;vc.16" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="118"/></proof>
-  </goal>
-  <goal name="inner&#39;vc.17" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="120"/></proof>
-  </goal>
-  <goal name="inner&#39;vc.18" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="171"/></proof>
-  </goal>
-  <goal name="inner&#39;vc.19" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="173"/></proof>
+  <goal name="handle_conflict&#39;vc.54" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
-  <goal name="inner&#39;vc.20" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="180"/></proof>
+  <goal name="handle_conflict&#39;vc.55" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
-  <goal name="inner&#39;vc.21" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="126"/></proof>
+  <goal name="handle_conflict&#39;vc.56" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
-  <goal name="inner&#39;vc.22" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.20" steps="1089"/></proof>
-  </goal>
-  <goal name="inner&#39;vc.23" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="286"/></proof>
+  <goal name="handle_conflict&#39;vc.57" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
  </transf>
  </goal>
 </theory>
-<theory name="CreuSat_Trail_Impl0_New" proved="true">
- <goal name="new&#39;vc" expl="VC for new" proved="true">
- <proof prover="2"><result status="valid" time="0.10" steps="860"/></proof>
+<theory name="CreuSat_Solver_Impl0_UnitPropStep">
+ <goal name="unit_prop_step&#39;vc" expl="VC for unit_prop_step">
+ <proof prover="2"><result status="timeout" time="1.00"/></proof>
+ <proof prover="3"><result status="timeout" time="1.00"/></proof>
+ <proof prover="4"><undone/></proof>
  </goal>
 </theory>
-<theory name="CreuSat_Watches_Impl0_New" proved="true">
- <goal name="new&#39;vc" expl="VC for new" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="new&#39;vc.0" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="57"/></proof>
-  </goal>
-  <goal name="new&#39;vc.1" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="85"/></proof>
-  </goal>
-  <goal name="new&#39;vc.2" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="161"/></proof>
-  </goal>
-  <goal name="new&#39;vc.3" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="200"/></proof>
-  </goal>
-  <goal name="new&#39;vc.4" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="75"/></proof>
-  </goal>
-  <goal name="new&#39;vc.5" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.41" steps="63767"/></proof>
-  </goal>
- </transf>
+<theory name="CreuSat_Solver_Impl0_UnitPropLoop">
+ <goal name="unit_prop_loop&#39;vc" expl="VC for unit_prop_loop">
+ <proof prover="2"><result status="timeout" time="2.00"/></proof>
+ <proof prover="3"><result status="timeout" time="1.00"/></proof>
+ <proof prover="4"><undone/></proof>
  </goal>
 </theory>
-<theory name="CreuSat_Watches_Impl0_InitWatches" proved="true">
- <goal name="init_watches&#39;vc" expl="VC for init_watches" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="init_watches&#39;vc.0" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="36"/></proof>
+<theory name="CreuSat_Solver_Impl0_OuterLoop">
+ <goal name="outer_loop&#39;vc" expl="VC for outer_loop">
+ <transf name="split_vc" >
+  <goal name="outer_loop&#39;vc.0" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="64"/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.1" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="148"/></proof>
+  <goal name="outer_loop&#39;vc.1" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="65"/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.2" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.02" steps="46"/></proof>
+  <goal name="outer_loop&#39;vc.2" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="66"/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.3" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="97"/></proof>
+  <goal name="outer_loop&#39;vc.3" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="68"/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="120"/></proof>
+  <goal name="outer_loop&#39;vc.4" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="72"/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.5" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="290"/></proof>
+  <goal name="outer_loop&#39;vc.5" expl="assertion" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="87"/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.6" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="82"/></proof>
+  <goal name="outer_loop&#39;vc.6" expl="division by zero" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="88"/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.7" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="82"/></proof>
+  <goal name="outer_loop&#39;vc.7" expl="integer overflow" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="131"/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.8" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="82"/></proof>
+  <goal name="outer_loop&#39;vc.8" expl="assertion" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="99"/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="83"/></proof>
+  <goal name="outer_loop&#39;vc.9" expl="division by zero" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="100"/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="881"/></proof>
+  <goal name="outer_loop&#39;vc.10" expl="integer overflow" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="217"/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.11" steps="1064"/></proof>
+  <goal name="outer_loop&#39;vc.11" expl="integer overflow" proved="true">
+  <proof prover="2"><result status="valid" time="0.09" steps="818"/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="115"/></proof>
+  <goal name="outer_loop&#39;vc.12" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="149"/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="133"/></proof>
+  <goal name="outer_loop&#39;vc.13" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="151"/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.15" steps="1414"/></proof>
+  <goal name="outer_loop&#39;vc.14" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="152"/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.15" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="init_watches&#39;vc.15.0" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.21" steps="2291"/></proof>
-   </goal>
-  </transf>
+  <goal name="outer_loop&#39;vc.15" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="152"/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="161"/></proof>
+  <goal name="outer_loop&#39;vc.16" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="152"/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.17" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.18" steps="1024"/></proof>
+  <goal name="outer_loop&#39;vc.17" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="154"/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.18" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="init_watches&#39;vc.18.0" expl="loop invariant preservation" proved="true">
-   <proof prover="4" timelimit="5" memlimit="2000"><result status="valid" time="3.37" steps="561087"/></proof>
-   </goal>
-  </transf>
+  <goal name="outer_loop&#39;vc.18" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.07" steps="156"/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.19" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.14" steps="812"/></proof>
+  <goal name="outer_loop&#39;vc.19" expl="precondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
-  <goal name="init_watches&#39;vc.20" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="186"/></proof>
+  <goal name="outer_loop&#39;vc.20" expl="precondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Trail_Impl0_LearnUnits" proved="true">
- <goal name="learn_units&#39;vc" expl="VC for learn_units" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="learn_units&#39;vc.0" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="40"/></proof>
+  <goal name="outer_loop&#39;vc.21" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="893"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.1" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="41"/></proof>
+  <goal name="outer_loop&#39;vc.22" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="563"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.2" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="42"/></proof>
+  <goal name="outer_loop&#39;vc.23" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="235"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.3" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="43"/></proof>
+  <goal name="outer_loop&#39;vc.24" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.45" steps="5112"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.4" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="99"/></proof>
+  <goal name="outer_loop&#39;vc.25" expl="precondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.5" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="103"/></proof>
+  <goal name="outer_loop&#39;vc.26" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.60" steps="6837"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.6" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="109"/></proof>
+  <goal name="outer_loop&#39;vc.27" expl="precondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="117"/></proof>
+  <goal name="outer_loop&#39;vc.28" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="291"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.8" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="366"/></proof>
+  <goal name="outer_loop&#39;vc.29" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.14" steps="1015"/></proof>
+  <proof prover="3" obsolete="true"><result status="valid" time="0.21" steps="508103"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.9" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="88"/></proof>
+  <goal name="outer_loop&#39;vc.30" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.07" steps="160"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.10" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="88"/></proof>
+  <goal name="outer_loop&#39;vc.31" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.08" steps="516"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.11" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="88"/></proof>
+  <goal name="outer_loop&#39;vc.32" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.12" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="88"/></proof>
+  <goal name="outer_loop&#39;vc.33" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="82"/></proof>
+  <goal name="outer_loop&#39;vc.34" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.15" steps="1029"/></proof>
+  <goal name="outer_loop&#39;vc.35" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="108"/></proof>
+  <goal name="outer_loop&#39;vc.36" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="109"/></proof>
+  <goal name="outer_loop&#39;vc.37" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="2.00"/></proof>
+  <proof prover="3"><result status="timeout" time="1.00"/></proof>
+  <proof prover="4"><undone/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.17" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="110"/></proof>
+  <goal name="outer_loop&#39;vc.38" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="2.00"/></proof>
+  <proof prover="3"><undone/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.18" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="112"/></proof>
+ </transf>
+ </goal>
+</theory>
+<theory name="CreuSat_Solver_Impl0_Inner">
+ <goal name="inner&#39;vc" expl="VC for inner">
+ <transf name="split_vc" >
+  <goal name="inner&#39;vc.0" expl="loop invariant init" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="101"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="186"/></proof>
+  <goal name="inner&#39;vc.1" expl="loop invariant init" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="42"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="678"/></proof>
+  <goal name="inner&#39;vc.2" expl="loop invariant init" proved="true">
+  <proof prover="2"><result status="valid" time="0.03" steps="43"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.09" steps="441"/></proof>
+  <goal name="inner&#39;vc.3" expl="loop invariant init" proved="true">
+  <proof prover="2"><result status="valid" time="0.03" steps="44"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.22" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="436"/></proof>
+  <goal name="inner&#39;vc.4" expl="loop invariant init" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="45"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.23" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="124"/></proof>
+  <goal name="inner&#39;vc.5" expl="loop invariant init" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="46"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.24" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="126"/></proof>
+  <goal name="inner&#39;vc.6" expl="loop invariant init" proved="true">
+  <proof prover="2"><result status="valid" time="0.04" steps="47"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.25" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="126"/></proof>
+  <goal name="inner&#39;vc.7" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="91"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.26" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="126"/></proof>
+  <goal name="inner&#39;vc.8" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="92"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.27" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.18" steps="1148"/></proof>
+  <goal name="inner&#39;vc.9" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.07" steps="93"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.28" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.07" steps="364"/></proof>
+  <goal name="inner&#39;vc.10" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="96"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.29" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="110"/></proof>
+  <goal name="inner&#39;vc.11" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="98"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.30" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="110"/></proof>
+  <goal name="inner&#39;vc.12" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.05" steps="98"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.31" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="110"/></proof>
+  <goal name="inner&#39;vc.13" expl="loop invariant preservation" proved="true">
+  <proof prover="2"><result status="valid" time="0.08" steps="272"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.32" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="110"/></proof>
+  <goal name="inner&#39;vc.14" expl="loop invariant preservation" proved="true">
+  <proof prover="2"><result status="valid" time="0.06" steps="119"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.33" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="118"/></proof>
+  <goal name="inner&#39;vc.15" expl="loop invariant preservation" proved="true">
+  <proof prover="2"><result status="valid" time="0.09" steps="121"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.34" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="119"/></proof>
+  <goal name="inner&#39;vc.16" expl="loop invariant preservation" proved="true">
+  <proof prover="2"><result status="valid" time="0.08" steps="173"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.35" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="120"/></proof>
+  <goal name="inner&#39;vc.17" expl="loop invariant preservation" proved="true">
+  <proof prover="2"><result status="valid" time="0.08" steps="174"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.36" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="514"/></proof>
+  <goal name="inner&#39;vc.18" expl="loop invariant preservation" proved="true">
+  <proof prover="2"><result status="valid" time="0.08" steps="181"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.37" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="168"/></proof>
+  <goal name="inner&#39;vc.19" expl="loop invariant preservation" proved="true">
+  <proof prover="2"><result status="valid" time="0.08" steps="127"/></proof>
   </goal>
-  <goal name="learn_units&#39;vc.38" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="172"/></proof>
+  <goal name="inner&#39;vc.20" expl="postcondition">
+  <transf name="split_vc" >
+   <goal name="inner&#39;vc.20.0" expl="postcondition">
+   <proof prover="2"><result status="timeout" time="1.00"/></proof>
+   <proof prover="3"><result status="timeout" time="1.00"/></proof>
+   <proof prover="4"><undone/></proof>
+   </goal>
+   <goal name="inner&#39;vc.20.1" expl="postcondition">
+   <proof prover="2"><result status="timeout" time="1.00"/></proof>
+   <proof prover="3"><result status="timeout" time="1.00"/></proof>
+   <proof prover="4"><undone/></proof>
+   </goal>
+   <goal name="inner&#39;vc.20.2" expl="postcondition">
+   <proof prover="2"><result status="timeout" time="1.00"/></proof>
+   <proof prover="3"><result status="timeout" time="1.00"/></proof>
+   <proof prover="4"><undone/></proof>
+   </goal>
+   <goal name="inner&#39;vc.20.3" expl="postcondition">
+   <proof prover="2"><result status="timeout" time="1.00"/></proof>
+   <proof prover="3"><undone/></proof>
+   </goal>
+   <goal name="inner&#39;vc.20.4" expl="postcondition">
+   <proof prover="2"><result status="timeout" time="1.00"/></proof>
+   <proof prover="3"><undone/></proof>
+   </goal>
+  </transf>
   </goal>
-  <goal name="learn_units&#39;vc.39" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.06" steps="280"/></proof>
+  <goal name="inner&#39;vc.21" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><undone/></proof>
   </goal>
  </transf>
  </goal>
 </theory>
-<theory name="CreuSat_Solver_Solver" proved="true">
- <goal name="solver&#39;vc" expl="VC for solver" proved="true">
- <transf name="split_vc" proved="true" >
+<theory name="CreuSat_Solver_Solver">
+ <goal name="solver&#39;vc" expl="VC for solver">
+ <transf name="split_vc" >
   <goal name="solver&#39;vc.0" expl="precondition" proved="true">
   <proof prover="2"><result status="valid" time="0.03" steps="40"/></proof>
   </goal>
@@ -10305,93 +714,58 @@
   <proof prover="2"><result status="valid" time="0.04" steps="80"/></proof>
   </goal>
   <goal name="solver&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="97"/></proof>
+  <proof prover="2"><result status="valid" time="0.05" steps="98"/></proof>
   </goal>
   <goal name="solver&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="100"/></proof>
+  <proof prover="2"><result status="valid" time="0.05" steps="101"/></proof>
   </goal>
   <goal name="solver&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="171"/></proof>
+  <proof prover="2"><result status="valid" time="0.05" steps="172"/></proof>
   </goal>
   <goal name="solver&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="105"/></proof>
+  <proof prover="2"><result status="valid" time="0.04" steps="106"/></proof>
   </goal>
   <goal name="solver&#39;vc.15" expl="precondition" proved="true">
   <proof prover="2"><result status="valid" time="0.05" steps="107"/></proof>
   </goal>
   <goal name="solver&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="107"/></proof>
-  </goal>
-  <goal name="solver&#39;vc.17" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.36" steps="3641"/></proof>
-  </goal>
-  <goal name="solver&#39;vc.18" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.10" steps="675"/></proof>
-  </goal>
-  <goal name="solver&#39;vc.19" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="545"/></proof>
-  </goal>
-  <goal name="solver&#39;vc.20" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.04" steps="278"/></proof>
-  </goal>
- </transf>
- </goal>
-</theory>
-<theory name="CreuSat_Watches_Impl0_MoveToEnd" proved="true">
- <goal name="move_to_end&#39;vc" expl="VC for move_to_end" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="move_to_end&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.03" steps="46"/></proof>
-  </goal>
-  <goal name="move_to_end&#39;vc.1" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="269"/></proof>
-  </goal>
-  <goal name="move_to_end&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.05" steps="77"/></proof>
-  </goal>
-  <goal name="move_to_end&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="227"/></proof>
-  </goal>
-  <goal name="move_to_end&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.08" steps="242"/></proof>
-  </goal>
-  <goal name="move_to_end&#39;vc.5" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.85" steps="121246"/></proof>
+  <proof prover="2"><result status="valid" time="0.05" steps="108"/></proof>
   </goal>
-  <goal name="move_to_end&#39;vc.6" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.14" steps="386187"/></proof>
+  <goal name="solver&#39;vc.17" expl="postcondition">
+  <proof prover="2"><result status="timeout" time="1.00"/></proof>
+  <proof prover="3"><undone/></proof>
   </goal>
  </transf>
  </goal>
 </theory>
 <theory name="CreuSat_Clause_Impl1" proved="true">
  <goal name="IndexMut1.index_mut&#39;refn&#39;vc" expl="VC for index_mut&#39;refn" proved="true">
- <proof prover="2"><result status="valid" time="0.01" steps="28"/></proof>
+ <proof prover="2"><result status="valid" time="0.01" steps="20"/></proof>
  </goal>
 </theory>
 <theory name="CreuSat_Formula_Impl1" proved="true">
  <goal name="IndexMut1.index_mut&#39;refn&#39;vc" expl="VC for index_mut&#39;refn" proved="true">
- <proof prover="2"><result status="valid" time="0.01" steps="28"/></proof>
+ <proof prover="2"><result status="valid" time="0.01" steps="20"/></proof>
  </goal>
 </theory>
 <theory name="CreuSat_Decision_Impl2" proved="true">
  <goal name="Clone1.clone&#39;&#39;refn&#39;vc" expl="VC for clone&#39;&#39;refn" proved="true">
- <proof prover="2"><result status="valid" time="0.01" steps="28"/></proof>
+ <proof prover="2"><result status="valid" time="0.01" steps="20"/></proof>
  </goal>
 </theory>
 <theory name="CreuSat_Lit_Impl4" proved="true">
  <goal name="Clone1.clone&#39;&#39;refn&#39;vc" expl="VC for clone&#39;&#39;refn" proved="true">
- <proof prover="2"><result status="valid" time="0.01" steps="28"/></proof>
+ <proof prover="2"><result status="valid" time="0.01" steps="20"/></proof>
  </goal>
 </theory>
 <theory name="CreuSat_Lit_Impl2" proved="true">
  <goal name="Eq1.eq&#39;refn&#39;vc" expl="VC for eq&#39;refn" proved="true">
- <proof prover="2"><result status="valid" time="0.01" steps="28"/></proof>
+ <proof prover="2"><result status="valid" time="0.01" steps="20"/></proof>
  </goal>
 </theory>
 <theory name="CreuSat_Lit_Impl3" proved="true">
  <goal name="Not1.not&#39;&#39;refn&#39;vc" expl="VC for not&#39;&#39;refn" proved="true">
- <proof prover="2"><result status="valid" time="0.02" steps="28"/></proof>
+ <proof prover="2"><result status="valid" time="0.02" steps="20"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/mlcfgs/CreuSAT/why3shapes.gz b/mlcfgs/CreuSAT/why3shapes.gz
index 4b0a12ad..03c4a846 100644
Binary files a/mlcfgs/CreuSAT/why3shapes.gz and b/mlcfgs/CreuSAT/why3shapes.gz differ