diff --git a/src/colis.ml b/src/colis.ml
index a4efd82a..3676bda0 100644
--- a/src/colis.ml
+++ b/src/colis.ml
@@ -14,11 +14,15 @@ end
 module Common = struct
   module Arguments = Semantics__Arguments
   module Behaviour = Semantics__Behaviour
-  module Env = Env
-  module Stdin = Semantics__Buffers.Stdin
-  module Stdout = Semantics__Buffers.Stdout
   module Config = Semantics__Config
+  module Context = Semantics__Context
+  module Env = Semantics__Env
   module Input = Semantics__Input
+  module InterpUtilitySpec = Semantics__InterpUtilitySpec
+  module Path = Semantics__Path
+  module Result = Semantics__Result
+  module Stdin = Semantics__Buffers.Stdin
+  module Stdout = Semantics__Buffers.Stdout
 end
 
 module Concrete = struct
@@ -29,16 +33,12 @@ module Concrete = struct
 end
 
 module Symbolic = struct
-  module Filesystem = SymbolicInterpreter__Filesystem
+  include SymbolicUtility.Symbolic
+
   module FilesystemSpec = FilesystemSpec
-  module Semantics = SymbolicInterpreter__Semantics
-  module SymState = SymbolicInterpreter__SymState
-  module Results = SymbolicInterpreter__Results
-  module Interpreter = SymbolicInterpreter__Interpreter
-  module Utility = SymbolicUtility
 
   let () =
-    List.iter SymbolicUtility.register [
+    List.iter register [
       (module Basics.True) ;
       (module Basics.Colon) ;
       (module Basics.False) ;
@@ -68,16 +68,16 @@ module Symbolic = struct
 
   let to_state ~prune_init_state ~root clause : Semantics.state =
     let root0 = if prune_init_state then None else Some root in
-    let filesystem = {Filesystem.root; clause; root0} in
+    let filesystem = {root; clause; root0} in
     {Semantics.filesystem; stdin=Common.Stdin.empty; stdout=Common.Stdout.empty; log=Common.Stdout.empty}
 
   let to_symbolic_state ~vars ~arguments state =
-    let open Semantics in
     let context =
-      let var_env = Semantics.add_var_bindings true vars Semantics.empty_var_env in
-      {Semantics.empty_context with arguments; var_env; cwd=[]}
+      let open Common.Context in
+      let var_env = add_var_bindings true vars empty_var_env in
+      {empty_context with arguments; var_env; cwd=[]}
     in
-    {SymState.state; context; data=()}
+    {state; context}
 
   let interp_program ~loop_limit ~stack_size ~argument0 stas' program =
     let open Common in
@@ -88,7 +88,7 @@ module Symbolic = struct
         let stack_size = Finite (Z.of_int stack_size) in
         { loop_limit; stack_size } in
       Input.({ argument0; config; under_condition=false }) in
-    let normals, errors, failures = Interpreter.interp_program inp stas' program in
+    let normals, errors, failures = interp_program inp stas' program in
     normals, errors, failures
 end
 
@@ -164,12 +164,13 @@ let colis_to_file filename colis =
 let run ~argument0 ?(arguments=[]) ?(vars=[]) colis =
   let open Common in
   let open Concrete in
+  let open Context in
   let input =
     let config = Config.({loop_limit = Infinite; stack_size = Infinite }) in
     Input.({ argument0; config; under_condition=false }) in
   let state = Interpreter.empty_state () in
   state.arguments := arguments;
-  state.var_env := Semantics.add_var_bindings true vars Semantics.empty_var_env;
+  state.var_env := add_var_bindings true vars empty_var_env;
   try
     Interpreter.interp_program input state colis;
     print_string (Stdout.all_lines !(state.stdout) |> List.rev |> String.concat "\n");
@@ -196,7 +197,7 @@ type symbolic_config = {
 
 let print_symbolic_filesystem fmt fs =
   let open Colis_constraints in
-  let open Symbolic.Filesystem in
+  let open Symbolic in
   fprintf fmt "root: %a@\n" Var.pp fs.root;
   fprintf fmt "clause: %a@\n" Clause.pp_sat_conj fs.clause
 
diff --git a/src/colis.mli b/src/colis.mli
index b0f2107c..cb00d6f2 100644
--- a/src/colis.mli
+++ b/src/colis.mli
@@ -14,10 +14,15 @@ end
 module Common : sig
   module Arguments = Semantics__Arguments
   module Behaviour = Semantics__Behaviour
-  module Env = Env
+  module Config = Semantics__Config
+  module Context = Semantics__Context
+  module Env = Semantics__Env
+  module Input = Semantics__Input
+  module InterpUtilitySpec = Semantics__InterpUtilitySpec
+  module Path = Semantics__Path
+  module Result = Semantics__Result
   module Stdin = Semantics__Buffers.Stdin
   module Stdout = Semantics__Buffers.Stdout
-  module Input = Semantics__Input
 end
 
 module Concrete : sig
@@ -28,27 +33,23 @@ module Concrete : sig
 end
 
 module Symbolic : sig
-  module Filesystem = SymbolicInterpreter__Filesystem
+  include module type of SymbolicUtility.Symbolic
   module FilesystemSpec = FilesystemSpec
-  module Semantics = SymbolicInterpreter__Semantics
-  module SymState = SymbolicInterpreter__SymState
-  module Results = SymbolicInterpreter__Results
-  module Interpreter = SymbolicInterpreter__Interpreter
-  module Utility = SymbolicUtility
 
   open Colis_constraints
+  open Semantics
 
   (** [compile_fs_spec root conj fs_spec] creates a disjunction that represents the conjunction [conj] with constraints representing the filesystem specified by [fs_spec] *)
   val add_fs_spec_to_clause : Var.t -> Clause.sat_conj -> FilesystemSpec.t -> Clause.sat_conj list
 
   (* Create a state corresponding to a conjunction *)
-  val to_state : prune_init_state:bool -> root:Var.t -> Clause.sat_conj -> Semantics.state
+  val to_state : prune_init_state:bool -> root:Var.t -> Clause.sat_conj -> state
 
   (* Create a symbolic states by adding context to a stringe *)
-  val to_symbolic_state : vars:(string * string) list -> arguments:string list -> Semantics.state -> unit SymState.sym_state
+  val to_symbolic_state : vars:(string * string) list -> arguments:string list -> state -> sym_state
 
   (* Wrapper around [Symbolic.Interpreter.interp_program] *)
-  val interp_program : loop_limit:int -> stack_size:int -> argument0:string -> unit SymState.sym_state list -> Language.Syntax.program -> (Semantics.state list * Semantics.state list * Semantics.state list)
+  val interp_program : loop_limit:int -> stack_size:int -> argument0:string -> sym_state list -> Language.Syntax.program -> (state list * state list * state list)
 end
 
 module Constraints = Colis_constraints
@@ -119,13 +120,13 @@ type symbolic_config = {
   (** Maximum height of the call stack in symbolic execution *)
 }
 
-open Symbolic
+open Symbolic.Semantics
 
-val print_symbolic_state : Format.formatter -> ?id:string -> Semantics.state -> unit
+val print_symbolic_state : Format.formatter -> ?id:string -> state -> unit
 
-val print_symbolic_states : initials:Semantics.state list -> (Semantics.state list * Semantics.state list * Semantics.state list) -> unit
+val print_symbolic_states : initials:state list -> (state list * state list * state list) -> unit
 
-val exit_code : (Semantics.state list * Semantics.state list * Semantics.state list) -> int
+val exit_code : (state list * state list * state list) -> int
 
 val run_symbolic : symbolic_config -> Symbolic.FilesystemSpec.t -> argument0:string -> ?arguments:(string list) -> ?vars:((string * string) list) -> colis -> unit
 (** Symbolically executes a Colis program. *)
diff --git a/src/concrete/driver.drv b/src/concrete/driver.drv
index 44084ff4..51d8e573 100644
--- a/src/concrete/driver.drv
+++ b/src/concrete/driver.drv
@@ -3,6 +3,7 @@ module semantics.Env
   syntax val empty_env "Env.empty %1"
   syntax val ([]) "Env.get %1 %2"
   syntax val ([<-]) "Env.set %1 %2 %3"
+  syntax type env0 "%1 Env.SMap.t"
 end
 
 module semantics.Buffers
@@ -10,9 +11,18 @@ module semantics.Buffers
   syntax val split_on_default_ifs "Str.(split (regexp \"[ \t\n]+\") %1)"
 end
 
-module interpreter.Semantics
-  syntax val filter_var_env "Env.filter_var_env (fun v -> v.Interpreter__Semantics.exported) (fun v -> v.Interpreter__Semantics.value) %1"
-  syntax val interp_utility "Utilities.interp_utility %1 %2 %3"
-  syntax val normalized_path_to_string "String.concat \"/\" %1"
-  syntax val absolute_or_concat_relative "Utilities.absolute_or_concat_relative %1 %2"
+module semantics.Path
+  syntax type feature "Colis_constraints.Feat.t"
+  syntax type normalized_path "Colis_constraints.Path.normal"
+  syntax val default_cwd "[]"
+  syntax val normalized_path_to_string "Colis_constraints.Path.normal_to_string %1"
+  syntax val absolute_or_concat_relative "Colis_constraints.Path.(normalize ~cwd:%1 (from_string %2))"
+end
+
+module semantics.Context
+  syntax val filter_var_env "Semantics__Context.(Env.filter_var_env (fun v -> v.exported) (fun v -> v.value) %1)"
+end
+
+module interpreter.Interpreter
+  syntax val interp_utility "Utilities.interp_utility %1"
 end
\ No newline at end of file
diff --git a/src/concrete/env.ml b/src/concrete/env.ml
index fc537cef..7f0cabbf 100644
--- a/src/concrete/env.ml
+++ b/src/concrete/env.ml
@@ -1,14 +1,19 @@
-module IdMap = Map.Make (String)
-type 'a env = {map: 'a IdMap.t; default: 'a}
-let empty default = {map=IdMap.empty; default}
-let get env id = try IdMap.find id env.map with Not_found -> env.default
-let set env id value = {env with map=IdMap.add id value env.map}
-let filter p env = {env with map=IdMap.filter p env.map}
-let map f default env = {map=IdMap.map f env.map; default}
-let elements env = IdMap.fold (fun k v t -> (k, v) :: t) env.map []
+module SMap = Map.Make (String)
+
+type 'a env = {map: 'a SMap.t; default: 'a}
+
+let empty default = {map=SMap.empty; default}
+let get env id = try SMap.find id env.map with Not_found -> env.default
+let set env id value = {env with map=SMap.add id value env.map}
+let filter p env = {env with map=SMap.filter p env.map}
+let map f default env = {map=SMap.map f env.map; default}
+let elements env = SMap.fold (fun k v t -> (k, v) :: t) env.map []
 let to_map env = env.map
 
-let filter_var_env (var_exported: 'a -> bool) (var_value: 'a -> string option) (env : 'a env) : string IdMap.t =
+let filter_var_env (var_exported: 'a -> bool) (var_value: 'a -> 'b option) (env : 'a env) : 'b SMap.t =
+  let open SMap in
   env.map |>
-  IdMap.filter (fun _ v -> var_exported v && var_value v <> None) |>
-  IdMap.map (fun v -> match var_value v with Some s -> s | _ -> assert false)
+  filter (fun _ -> var_exported) |>
+  map var_value |>
+  filter (fun _ -> (<>) None) |>
+  map (function Some x -> x | _ -> assert false)
diff --git a/src/concrete/env.mli b/src/concrete/env.mli
index 442a585e..99d169d6 100644
--- a/src/concrete/env.mli
+++ b/src/concrete/env.mli
@@ -8,9 +8,9 @@ val filter : (string -> 'a -> bool) -> 'a env -> 'a env
 val map : ('a -> 'b) -> 'b -> 'a env -> 'b env
 val elements : 'a env -> (string * 'a) list
 
-module IdMap : Map.S with type key = string
+module SMap : Map.S with type key = string
 
 (** Conversion to a normal map without default value *)
-val to_map : 'a env -> 'a IdMap.t
+val to_map : 'a env -> 'a SMap.t
 
-val filter_var_env : ('a -> bool) -> ('a -> string option) -> 'a env -> string IdMap.t
+val filter_var_env : ('a -> bool) -> ('a -> 'b option) -> 'a env -> 'b SMap.t
diff --git a/src/concrete/interpreter.mlw b/src/concrete/interpreter.mlw
index c839995d..3e6dcea7 100644
--- a/src/concrete/interpreter.mlw
+++ b/src/concrete/interpreter.mlw
@@ -22,8 +22,12 @@ module State
   use ref.Ref
   use list.List
   use string.String
-  use Filesystem
+
   use semantics.Buffers
+  use semantics.Context
+  use semantics.Env
+  use semantics.Path
+  use Filesystem
   use import Semantics as S
 
   type sem_state = state
@@ -42,7 +46,7 @@ module State
     var_env : ref var_env;
     func_env : func_env;
     arguments: ref (list string);
-    cwd : ref (list string);
+    cwd : ref normalized_path;
     result : ref bool;
   }
 end
@@ -59,18 +63,21 @@ module Interpreter
   use map.MapExt
   use int.Int
   use ref.Refint
+  use string.OCaml as String
 
   use auxiliaries.OptionGet
-  use string.OCaml as String
+  use auxiliaries.TakeDrop
   use syntax.Syntax
+  use semantics.Arguments
   use semantics.Result
   use semantics.Buffers
   use semantics.Behaviour
   use semantics.Input
   use semantics.Config
+  use semantics.Context
   use semantics.Env as E
+  use semantics.Path
   use Filesystem as Fs
-  use auxiliaries.TakeDrop
   use import Semantics as S
   use import State as St
 
@@ -85,22 +92,22 @@ module Interpreter
 
   let empty_state () = {
     St.filesystem = ref Filesystem.empty;
-    St.var_env = ref S.empty_var_env;
-    St.func_env = S.empty_func_env;
+    St.var_env = ref empty_var_env;
+    St.func_env = empty_func_env;
     St.arguments = ref Nil;
     St.stdin = ref Stdin.empty;
     St.stdout = ref Stdout.empty;
     St.log = ref Stdout.empty;
-    St.cwd = ref Nil;
+    St.cwd = ref default_cwd;
     St.result = ref True;
   }
 
-  function sem_context (sta:state) : S.context = {
-    S.var_env = !(sta.var_env);
-    S.func_env = sta.func_env;
-    S.arguments = !(sta.arguments);
-    S.cwd = !(sta.cwd);
-    S.result = !(sta.result);
+  function sem_context (sta:state) : context = {
+    Context.var_env = !(sta.var_env);
+    Context.func_env = sta.func_env;
+    Context.arguments = !(sta.arguments);
+    Context.cwd = !(sta.cwd);
+    Context.result = !(sta.result);
   }
 
   lemma context_same: forall sta1 sta2.
@@ -139,22 +146,30 @@ module Interpreter
 
   (** {3 Imperative wrapper around the functional interpretation of utilties} *)
 
-  let interp_utility (inp:input) (sta:state) (id:identifier) (args:list string)
+  (** Interprete a command defined in the document *Specification of UNIX Commands*. *)
+  val interp_utility (params: (utility_context, identifier, S.state)) : (S.state, result bool)
+    ensures { S.interp_utility params result }
+
+  let interp_utility' (inp:input) (sta:state) (id:identifier) (args:list string)
     ensures {
-      interp_utility (!(old sta.cwd), filter_var_env !(old sta.var_env), args) id (old sem_state sta) = (sem_state sta, Ok !(sta.result)) /\
+      let utility_ctx = {S.cwd= !(old sta.cwd); env=filter_var_env !(old sta.var_env); args=args} in
+      interp_utility (utility_ctx, id, old sem_state sta) (sem_state sta, Ok !(sta.result)) /\
       behaviour inp !(sta.result) = BNormal
     }
     raises { EExit ->
-      interp_utility (!(old sta.cwd), filter_var_env !(old sta.var_env), args) id (old sem_state sta) = (sem_state sta, Ok !(sta.result)) /\
+      let utility_ctx = {S.cwd= !(old sta.cwd); env=filter_var_env !(old sta.var_env); args=args} in
+      interp_utility (utility_ctx, id, old sem_state sta) (sem_state sta, Ok !(sta.result)) /\
       behaviour inp !(sta.result) = BExit
     }
     raises { EIncomplete ->
-      interp_utility (!(old sta.cwd), filter_var_env !(old sta.var_env), args) id (old sem_state sta) = (sem_state sta, Incomplete)
+      let utility_ctx = {S.cwd= !(old sta.cwd); env=filter_var_env !(old sta.var_env); args=args} in
+      interp_utility (utility_ctx, id, old sem_state sta) (sem_state sta, Incomplete)
     }
     raises { EIncomplete ->
       sem_context sta = sem_context (old sta)
     }
-  = let sta', r = interp_utility (!(sta.cwd), filter_var_env !(sta.var_env), args) id (sem_state sta) in
+  = let utility_ctx = {S.cwd= !(sta.cwd); env=filter_var_env !(sta.var_env); args=args} in
+    let sta', r = interp_utility (utility_ctx, id, sem_state sta) in
     sta.filesystem := sta'.S.filesystem;
     assert { !(sta.filesystem) = sta'.S.filesystem };
     sta.stdin := sta'.S.stdin;
@@ -168,8 +183,6 @@ module Interpreter
       raise EIncomplete
     end
 
-  use semantics.Arguments
-
   let shift_arguments sta n
     requires { n >= 0 }
     ensures {
@@ -256,7 +269,7 @@ module Interpreter
 
     | IExport id ->
       let old_env = !(sta.var_env) in
-      let var_val = {old_env[id] with S.exported=True} in
+      let var_val = {old_env[id] with exported=True} in
       sta.var_env := old_env[id <- var_val];
       sta.result := True
 
@@ -339,7 +352,7 @@ module Interpreter
 
     | ICallUtility name le ->
       let args = interp_list_expr inp sta le in
-      interp_utility inp sta name args
+      interp_utility' inp sta name args
 
     | ICallFunction id le ->
       let args = interp_list_expr inp sta le in
@@ -430,7 +443,7 @@ module Interpreter
       let cwd_p = absolute_or_concat_relative !(sta.cwd) s in
       let pwd_s = normalized_path_to_string cwd_p in
       let args = Cons "-d" (Cons pwd_s Nil) in
-      interp_utility {inp with under_condition=True} sta identifier_test args;
+      interp_utility' {inp with under_condition=True} sta identifier_test args;
       if !(sta.result) then begin
         sta.var_env := !(sta.var_env)[identifier_pwd <- pwd_s]';
         sta.cwd := cwd_p
diff --git a/src/concrete/interpreter/why3session.xml b/src/concrete/interpreter/why3session.xml
index 2f91eae1..9c11ac70 100644
--- a/src/concrete/interpreter/why3session.xml
+++ b/src/concrete/interpreter/why3session.xml
@@ -14,24 +14,24 @@
  <proof prover="4"><result status="valid" time="0.06" steps="28"/></proof>
  </goal>
  <goal name="maybe_exit&#39;vc" expl="VC for maybe_exit" proved="true">
- <proof prover="0" timelimit="5"><result status="valid" time="0.25" steps="73143"/></proof>
+ <proof prover="0" timelimit="5"><result status="valid" time="0.25" steps="73691"/></proof>
  </goal>
- <goal name="interp_utility&#39;vc" expl="VC for interp_utility" proved="true">
+ <goal name="interp_utility&#39;&#39;vc" expl="VC for interp_utility&#39;" proved="true">
  <transf name="split_vc" proved="true" >
-  <goal name="interp_utility&#39;vc.0" expl="assertion" proved="true">
-  <proof prover="0"><result status="valid" time="0.28" steps="71397"/></proof>
+  <goal name="interp_utility&#39;&#39;vc.0" expl="assertion" proved="true">
+  <proof prover="0"><result status="valid" time="0.29" steps="71953"/></proof>
   </goal>
-  <goal name="interp_utility&#39;vc.1" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.42" steps="78818"/></proof>
+  <goal name="interp_utility&#39;&#39;vc.1" expl="postcondition" proved="true">
+  <proof prover="0"><result status="valid" time="0.42" steps="79641"/></proof>
   </goal>
-  <goal name="interp_utility&#39;vc.2" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.46" steps="77246"/></proof>
+  <goal name="interp_utility&#39;&#39;vc.2" expl="exceptional postcondition" proved="true">
+  <proof prover="0"><result status="valid" time="0.46" steps="78069"/></proof>
   </goal>
-  <goal name="interp_utility&#39;vc.3" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.51" steps="75971"/></proof>
+  <goal name="interp_utility&#39;&#39;vc.3" expl="exceptional postcondition" proved="true">
+  <proof prover="0"><result status="valid" time="0.56" steps="77051"/></proof>
   </goal>
-  <goal name="interp_utility&#39;vc.4" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.48" steps="76329"/></proof>
+  <goal name="interp_utility&#39;&#39;vc.4" expl="exceptional postcondition" proved="true">
+  <proof prover="0"><result status="valid" time="0.48" steps="77021"/></proof>
   </goal>
  </transf>
  </goal>
@@ -41,566 +41,566 @@
  <goal name="interp_instruction&#39;vc" expl="VC for interp_instruction" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="interp_instruction&#39;vc.0" expl="assertion" proved="true">
-  <proof prover="0"><result status="valid" time="0.31" steps="71493"/></proof>
+  <proof prover="4"><result status="valid" time="0.07" steps="71"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.1" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.24" steps="68219"/></proof>
+  <proof prover="0"><result status="valid" time="0.37" steps="68695"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.2" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.15" steps="94"/></proof>
+  <proof prover="0"><result status="valid" time="0.48" steps="68872"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.3" expl="assertion" proved="true">
-  <proof prover="0" timelimit="5"><result status="valid" time="0.31" steps="71456"/></proof>
-  <proof prover="4"><result status="valid" time="0.06" steps="54"/></proof>
+  <proof prover="4" timelimit="10"><result status="valid" time="0.10" steps="54"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.4" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.14" steps="30"/></proof>
+  <proof prover="4"><result status="valid" time="0.08" steps="30"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.5" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.16" steps="64"/></proof>
+  <proof prover="4"><result status="valid" time="0.14" steps="64"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.6" expl="assertion" proved="true">
-  <proof prover="4"><result status="valid" time="0.11" steps="54"/></proof>
+  <proof prover="4"><result status="valid" time="0.20" steps="54"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.7" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.13" steps="30"/></proof>
+  <proof prover="4"><result status="valid" time="0.08" steps="30"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.8" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.34" steps="69254"/></proof>
+  <proof prover="4"><result status="valid" time="0.07" steps="64"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.9" expl="assertion" proved="true">
-  <proof prover="0"><result status="valid" time="0.18" steps="71493"/></proof>
+  <proof prover="0"><result status="valid" time="0.31" steps="72041"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.10" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.12" steps="68219"/></proof>
+  <proof prover="4"><result status="valid" time="0.12" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.11" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.23" steps="68320"/></proof>
+  <proof prover="4"><result status="valid" time="0.11" steps="94"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.12" expl="assertion" proved="true">
-  <proof prover="0"><result status="valid" time="0.40" steps="71456"/></proof>
+  <proof prover="4"><result status="valid" time="0.08" steps="54"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.13" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.09" steps="30"/></proof>
+  <proof prover="0"><result status="valid" time="0.21" steps="68795"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.14" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.28" steps="69313"/></proof>
+  <proof prover="4"><result status="valid" time="0.07" steps="64"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.15" expl="assertion" proved="true">
-  <proof prover="4"><result status="valid" time="0.07" steps="54"/></proof>
+  <proof prover="0"><result status="valid" time="0.26" steps="72002"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.16" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.06" steps="30"/></proof>
+  <proof prover="0"><result status="valid" time="0.23" steps="68795"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.17" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.06" steps="64"/></proof>
+  <proof prover="0"><result status="valid" time="0.36" steps="69806"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.18" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.08" steps="24"/></proof>
+  <proof prover="4"><result status="valid" time="0.07" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.11" steps="28"/></proof>
+  <proof prover="4"><result status="valid" time="0.15" steps="28"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.20" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.07" steps="30"/></proof>
+  <proof prover="4"><result status="valid" time="0.09" steps="30"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.21" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.13" steps="196"/></proof>
+  <proof prover="4"><result status="valid" time="0.22" steps="196"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.22" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.14" steps="30"/></proof>
+  <proof prover="4"><result status="valid" time="0.09" steps="30"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.23" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.25" steps="179"/></proof>
+  <proof prover="4"><result status="valid" time="0.12" steps="179"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.24" expl="postcondition" proved="true">
   <proof prover="4"><result status="valid" time="0.14" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.25" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.20" steps="68"/></proof>
+  <proof prover="4"><result status="valid" time="0.06" steps="68"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.26" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.10" steps="24"/></proof>
+  <proof prover="4"><result status="valid" time="0.07" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.27" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.10" steps="24"/></proof>
+  <proof prover="0" timelimit="5"><result status="valid" time="0.14" steps="68668"/></proof>
+  <proof prover="4"><result status="valid" time="0.06" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.28" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.11" steps="68645"/></proof>
+  <proof prover="4"><result status="valid" time="0.08" steps="40"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.29" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.50" steps="89481"/></proof>
+  <proof prover="0"><result status="valid" time="0.38" steps="89674"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.30" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.07" steps="40"/></proof>
+  <proof prover="4"><result status="valid" time="0.06" steps="40"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.31" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.61" steps="87437"/></proof>
+  <proof prover="0"><result status="valid" time="0.57" steps="87623"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.32" expl="exceptional postcondition" proved="true">
   <proof prover="4"><result status="valid" time="0.06" steps="67"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.33" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.12" steps="24"/></proof>
+  <proof prover="4"><result status="valid" time="0.07" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.34" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.11" steps="68192"/></proof>
+  <proof prover="4"><result status="valid" time="0.09" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.35" expl="assertion" proved="true">
-  <proof prover="4"><result status="valid" time="0.08" steps="30"/></proof>
+  <proof prover="4"><result status="valid" time="0.07" steps="30"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.36" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.06" steps="30"/></proof>
+  <proof prover="0"><result status="valid" time="0.18" steps="68863"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.37" expl="precondition" proved="true">
-  <proof prover="4" timelimit="10"><result status="valid" time="0.10" steps="30"/></proof>
+  <proof prover="4"><result status="valid" time="0.12" steps="30"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.38" expl="assertion" proved="true">
   <proof prover="4"><result status="valid" time="0.14" steps="36"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.39" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.29" steps="68572"/></proof>
+  <proof prover="4"><result status="valid" time="0.23" steps="37"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.40" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.08" steps="39"/></proof>
+  <proof prover="4"><result status="valid" time="0.07" steps="39"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.41" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.09" steps="36"/></proof>
+  <proof prover="0"><result status="valid" time="0.12" steps="69063"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.42" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.29" steps="65448"/></proof>
+  <proof prover="0"><result status="valid" time="0.26" steps="65996"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.43" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.17" steps="36"/></proof>
+  <proof prover="4" timelimit="60"><result status="valid" time="0.08" steps="36"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.44" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.06" steps="39"/></proof>
+  <proof prover="0"><result status="valid" time="0.29" steps="65996"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.45" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.17" steps="65403"/></proof>
+  <proof prover="4"><result status="valid" time="0.08" steps="36"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.46" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.10" steps="68376"/></proof>
+  <proof prover="0"><result status="valid" time="0.12" steps="68852"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.47" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.08" steps="32"/></proof>
+  <proof prover="4"><result status="valid" time="0.07" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.48" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.13" steps="30"/></proof>
+  <proof prover="0"><result status="valid" time="0.15" steps="68852"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.49" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.10" steps="32"/></proof>
+  <proof prover="4"><result status="valid" time="0.13" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.50" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.07" steps="30"/></proof>
+  <proof prover="4"><result status="valid" time="0.08" steps="30"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.51" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.08" steps="24"/></proof>
+  <proof prover="4"><result status="valid" time="0.14" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.52" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.12" steps="24"/></proof>
+  <proof prover="4" timelimit="30"><result status="valid" time="0.09" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.53" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.12" steps="34"/></proof>
+  <proof prover="0"><result status="valid" time="0.11" steps="69047"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.54" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.07" steps="36"/></proof>
+  <proof prover="4"><result status="valid" time="0.06" steps="36"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.55" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.11" steps="68571"/></proof>
+  <proof prover="4"><result status="valid" time="0.10" steps="34"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.56" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.14" steps="36"/></proof>
+  <proof prover="4"><result status="valid" time="0.19" steps="36"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.57" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.20" steps="68571"/></proof>
+  <proof prover="4"><result status="valid" time="0.11" steps="34"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.58" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.34" steps="76181"/></proof>
+  <proof prover="4"><result status="valid" time="0.12" steps="36"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.59" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.19" steps="34"/></proof>
+  <proof prover="0"><result status="valid" time="0.16" steps="69047"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.60" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.21" steps="36"/></proof>
+  <proof prover="0"><result status="valid" time="0.28" steps="75188"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.61" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.27" steps="68571"/></proof>
+  <proof prover="4"><result status="valid" time="0.11" steps="34"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.62" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.08" steps="36"/></proof>
+  <proof prover="0"><result status="valid" time="0.58" steps="76569"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.63" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.14" steps="34"/></proof>
+  <proof prover="4"><result status="valid" time="0.12" steps="34"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.64" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.13" steps="36"/></proof>
+  <proof prover="4"><result status="valid" time="0.21" steps="36"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.65" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.12" steps="32"/></proof>
+  <proof prover="4"><result status="valid" time="0.08" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.66" expl="precondition" proved="true">
   <proof prover="4"><result status="valid" time="0.15" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.67" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.07" steps="24"/></proof>
+  <proof prover="4"><result status="valid" time="0.18" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.68" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.12" steps="32"/></proof>
+  <proof prover="0"><result status="valid" time="0.28" steps="68955"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.69" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.13" steps="82"/></proof>
+  <proof prover="4"><result status="valid" time="0.21" steps="82"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.70" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.06" steps="30"/></proof>
+  <proof prover="4"><result status="valid" time="0.19" steps="30"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.71" expl="exceptional postcondition" proved="true">
   <proof prover="4"><result status="valid" time="0.12" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.72" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.07" steps="32"/></proof>
+  <proof prover="4"><result status="valid" time="0.12" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.73" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.22" steps="82"/></proof>
+  <proof prover="0"><result status="valid" time="0.43" steps="73873"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.74" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.17" steps="30"/></proof>
+  <proof prover="0"><result status="valid" time="0.18" steps="65850"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.75" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.07" steps="24"/></proof>
+  <proof prover="4"><result status="valid" time="0.14" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.76" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.13" steps="24"/></proof>
+  <proof prover="4"><result status="valid" time="0.09" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.77" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.05" steps="32"/></proof>
+  <proof prover="4"><result status="valid" time="0.09" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.78" expl="precondition" proved="true">
   <proof prover="4"><result status="valid" time="0.06" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.79" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.07" steps="38"/></proof>
+  <proof prover="4"><result status="valid" time="0.18" steps="38"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.80" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.20" steps="41"/></proof>
+  <proof prover="4"><result status="valid" time="0.10" steps="41"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.81" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.08" steps="38"/></proof>
+  <proof prover="4"><result status="valid" time="0.20" steps="38"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.82" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.22" steps="41"/></proof>
+  <proof prover="0"><result status="valid" time="0.52" steps="76854"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.83" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.13" steps="68620"/></proof>
+  <proof prover="4"><result status="valid" time="0.09" steps="38"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.84" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.07" steps="41"/></proof>
+  <proof prover="4"><result status="valid" time="0.12" steps="41"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.85" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.16" steps="38"/></proof>
+  <proof prover="4"><result status="valid" time="0.12" steps="38"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.86" expl="precondition" proved="true">
-  <proof prover="4" timelimit="5"><result status="valid" time="0.10" steps="32"/></proof>
+  <proof prover="0"><result status="valid" time="0.12" steps="68896"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.87" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.11" steps="32"/></proof>
+  <proof prover="0"><result status="valid" time="0.17" steps="68899"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.88" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.14" steps="38"/></proof>
+  <proof prover="4"><result status="valid" time="0.12" steps="38"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.89" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.21" steps="41"/></proof>
+  <proof prover="0"><result status="valid" time="0.55" steps="77183"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.90" expl="exceptional postcondition" proved="true">
   <proof prover="4"><result status="valid" time="0.07" steps="38"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.91" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.07" steps="41"/></proof>
+  <proof prover="4"><result status="valid" time="0.17" steps="41"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.92" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.21" steps="68624"/></proof>
+  <proof prover="4"><result status="valid" time="0.07" steps="38"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.93" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.19" steps="41"/></proof>
+  <proof prover="0"><result status="valid" time="0.34" steps="76935"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.94" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.12" steps="38"/></proof>
+  <proof prover="4"><result status="valid" time="0.11" steps="38"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.95" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.06" steps="30"/></proof>
+  <proof prover="0"><result status="valid" time="0.29" steps="68870"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.96" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.10" steps="32"/></proof>
+  <proof prover="4"><result status="valid" time="0.17" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.97" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.06" steps="30"/></proof>
+  <proof prover="4"><result status="valid" time="0.17" steps="30"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.98" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.06" steps="32"/></proof>
+  <proof prover="4"><result status="valid" time="0.22" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.99" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.05" steps="30"/></proof>
+  <proof prover="0"><result status="valid" time="0.30" steps="65944"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.100" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.11" steps="68185"/></proof>
+  <proof prover="4"><result status="valid" time="0.17" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.101" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.31" steps="68188"/></proof>
+  <proof prover="4"><result status="valid" time="0.16" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.102" expl="postcondition" proved="true">
   <proof prover="4"><result status="valid" time="0.12" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.103" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.24" steps="34"/></proof>
+  <proof prover="4"><result status="valid" time="0.20" steps="34"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.104" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.09" steps="32"/></proof>
+  <proof prover="4"><result status="valid" time="0.06" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.105" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.43" steps="79583"/></proof>
+  <proof prover="4"><result status="valid" time="0.19" steps="34"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.106" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.18" steps="32"/></proof>
+  <proof prover="4"><result status="valid" time="0.07" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.107" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.07" steps="34"/></proof>
+  <proof prover="4"><result status="valid" time="0.09" steps="34"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.108" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.20" steps="32"/></proof>
+  <proof prover="4" timelimit="5"><result status="valid" time="0.21" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.109" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.06" steps="24"/></proof>
+  <proof prover="4"><result status="valid" time="0.20" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.110" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.09" steps="24"/></proof>
+  <proof prover="4" timelimit="10" memlimit="4000"><result status="valid" time="0.09" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.111" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.15" steps="68579"/></proof>
+  <proof prover="4"><result status="valid" time="0.12" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.112" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.12" steps="68582"/></proof>
+  <proof prover="4"><result status="valid" time="0.12" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.113" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.17" steps="40"/></proof>
+  <proof prover="4"><result status="valid" time="0.10" steps="40"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.114" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.60" steps="119"/></proof>
+  <proof prover="4"><result status="valid" time="0.54" steps="119"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.115" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.16" steps="40"/></proof>
+  <proof prover="4"><result status="valid" time="0.14" steps="40"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.116" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.62" steps="119"/></proof>
+  <proof prover="4"><result status="valid" time="0.63" steps="119"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.117" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.06" steps="40"/></proof>
+  <proof prover="4"><result status="valid" time="0.15" steps="40"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.118" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.46" steps="98715"/></proof>
+  <proof prover="4" timelimit="60"><result status="valid" time="0.64" steps="119"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.119" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.75" steps="116"/></proof>
+  <proof prover="4"><result status="valid" time="0.67" steps="116"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.120" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.08" steps="32"/></proof>
+  <proof prover="4"><result status="valid" time="0.12" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.121" expl="precondition" proved="true">
   <proof prover="4"><result status="valid" time="0.18" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.122" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.21" steps="40"/></proof>
+  <proof prover="0"><result status="valid" time="0.12" steps="69459"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.123" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.70" steps="119"/></proof>
+  <proof prover="4"><result status="valid" time="0.62" steps="119"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.124" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.17" steps="40"/></proof>
+  <proof prover="0"><result status="valid" time="0.27" steps="69459"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.125" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.77" steps="119"/></proof>
+  <proof prover="4"><result status="valid" time="0.57" steps="119"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.126" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.19" steps="40"/></proof>
+  <proof prover="0"><result status="valid" time="0.24" steps="69459"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.127" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.65" steps="119"/></proof>
+  <proof prover="0"><result status="valid" time="1.07" steps="97041"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.128" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.63" steps="116"/></proof>
+  <proof prover="4"><result status="valid" time="0.71" steps="116"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.129" expl="precondition" proved="true">
-  <proof prover="4" timelimit="30"><result status="valid" time="0.09" steps="32"/></proof>
+  <proof prover="4"><result status="valid" time="0.06" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.130" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.12" steps="32"/></proof>
+  <proof prover="4"><result status="valid" time="0.24" steps="32"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.131" expl="postcondition" proved="true">
   <proof prover="4"><result status="valid" time="0.18" steps="40"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.132" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.47" steps="119"/></proof>
+  <proof prover="4"><result status="valid" time="0.70" steps="119"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.133" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.05" steps="40"/></proof>
+  <proof prover="4"><result status="valid" time="0.20" steps="40"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.134" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.55" steps="119"/></proof>
+  <proof prover="4"><result status="valid" time="0.78" steps="119"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.135" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.10" steps="40"/></proof>
+  <proof prover="0"><result status="valid" time="0.12" steps="69459"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.136" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.65" steps="119"/></proof>
+  <proof prover="4"><result status="valid" time="0.77" steps="119"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.137" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.67" steps="93565"/></proof>
+  <proof prover="4"><result status="valid" time="0.73" steps="116"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.138" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.34" steps="86"/></proof>
+  <proof prover="4"><result status="valid" time="0.44" steps="86"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.139" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.12" steps="24"/></proof>
+  <proof prover="4"><result status="valid" time="0.21" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.140" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.12" steps="24"/></proof>
+  <proof prover="4"><result status="valid" time="0.16" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.141" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.12" steps="68608"/></proof>
+  <proof prover="0"><result status="valid" time="0.24" steps="69095"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.142" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.23" steps="91"/></proof>
+  <proof prover="0"><result status="valid" time="0.71" steps="83919"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.143" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.09" steps="38"/></proof>
+  <proof prover="4"><result status="valid" time="0.06" steps="38"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.144" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.58" steps="86263"/></proof>
+  <proof prover="4"><result status="valid" time="0.30" steps="93"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.145" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.07" steps="40"/></proof>
+  <proof prover="4"><result status="valid" time="0.40" steps="219"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.146" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.10" steps="65"/></proof>
+  <proof prover="0"><result status="valid" time="0.49" steps="68919"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.147" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.25" steps="68189"/></proof>
+  <proof prover="4"><result status="valid" time="0.12" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.148" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.07" steps="24"/></proof>
+  <proof prover="4"><result status="valid" time="0.20" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.149" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.14" steps="40"/></proof>
+  <proof prover="0"><result status="valid" time="0.24" steps="69000"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.150" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.11" steps="91"/></proof>
+  <proof prover="4"><result status="valid" time="0.18" steps="91"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.151" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.24" steps="68524"/></proof>
+  <proof prover="4"><result status="valid" time="0.18" steps="40"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.152" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.51" steps="76570"/></proof>
+  <proof prover="4"><result status="valid" time="0.14" steps="93"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.153" expl="precondition" proved="true">
-  <proof prover="4" timelimit="60"><result status="valid" time="0.08" steps="36"/></proof>
+  <proof prover="4"><result status="valid" time="0.05" steps="36"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.154" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.12" steps="68460"/></proof>
+  <proof prover="0"><result status="valid" time="0.25" steps="68936"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.155" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.06" steps="46"/></proof>
+  <proof prover="0"><result status="valid" time="0.19" steps="69295"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.156" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.84" steps="223"/></proof>
+  <proof prover="4"><result status="valid" time="0.91" steps="223"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.157" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.08" steps="46"/></proof>
+  <proof prover="4"><result status="valid" time="0.13" steps="46"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.158" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.89" steps="171"/></proof>
+  <proof prover="4"><result status="valid" time="0.68" steps="171"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.159" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.13" steps="46"/></proof>
+  <proof prover="0"><result status="valid" time="0.29" steps="69295"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.160" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.92" steps="170"/></proof>
+  <proof prover="4"><result status="valid" time="0.58" steps="170"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.161" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.73" steps="166"/></proof>
+  <proof prover="0"><result status="valid" time="0.69" steps="140587"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.162" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.24" steps="65"/></proof>
+  <proof prover="0"><result status="valid" time="0.52" steps="68919"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.163" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.30" steps="68193"/></proof>
+  <proof prover="4"><result status="valid" time="0.13" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.164" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.07" steps="24"/></proof>
+  <proof prover="0"><result status="valid" time="0.31" steps="68672"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.165" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.12" steps="34"/></proof>
+  <proof prover="4"><result status="valid" time="0.13" steps="34"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.166" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.06" steps="84"/></proof>
+  <proof prover="4"><result status="valid" time="0.07" steps="84"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.167" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.20" steps="40"/></proof>
+  <proof prover="4"><result status="valid" time="0.10" steps="40"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.168" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.18" steps="50"/></proof>
+  <proof prover="4"><result status="valid" time="0.14" steps="50"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.169" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.09" steps="50"/></proof>
+  <proof prover="4"><result status="valid" time="0.07" steps="50"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.170" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.06" steps="56"/></proof>
+  <proof prover="4"><result status="valid" time="0.09" steps="56"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.171" expl="loop invariant preservation" proved="true">
-  <proof prover="4" timelimit="60"><result status="valid" time="21.97" steps="10608"/></proof>
+  <proof prover="4" timelimit="60"><result status="valid" time="22.00" steps="10847"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.172" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.43" steps="81887"/></proof>
+  <proof prover="4"><result status="valid" time="0.18" steps="65"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.173" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.13" steps="56"/></proof>
+  <proof prover="0"><result status="valid" time="0.31" steps="69662"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.174" expl="exceptional postcondition" proved="true">
   <transf name="subst_all" proved="true" >
    <goal name="interp_instruction&#39;vc.174.0" expl="exceptional postcondition" proved="true">
    <transf name="apply" proved="true" arg1="eval_foreach" arg2="with" arg3="(sem_context sta),(sem_state sta3),ss,(contents (result sta))">
     <goal name="interp_instruction&#39;vc.174.0.0" expl="apply premises" proved="true">
-    <proof prover="0" timelimit="5"><result status="valid" time="0.15" steps="65553"/></proof>
+    <proof prover="0" timelimit="5"><result status="valid" time="0.23" steps="66029"/></proof>
     </goal>
     <goal name="interp_instruction&#39;vc.174.0.1" expl="apply premises" proved="true">
     <transf name="replace" proved="true" arg1="ss" arg2="(take i ss ++ Cons (nth i ss) (drop (i+1) ss))">
      <goal name="interp_instruction&#39;vc.174.0.1.0" expl="apply premises" proved="true">
-     <proof prover="4"><result status="valid" time="0.23" steps="140"/></proof>
+     <proof prover="4"><result status="valid" time="0.27" steps="140"/></proof>
      </goal>
      <goal name="interp_instruction&#39;vc.174.0.1.1" expl="equality hypothesis" proved="true">
-     <proof prover="4"><result status="valid" time="0.12" steps="50"/></proof>
+     <proof prover="4"><result status="valid" time="0.17" steps="50"/></proof>
      </goal>
     </transf>
     </goal>
     <goal name="interp_instruction&#39;vc.174.0.2" expl="apply premises" proved="true">
-    <proof prover="4"><result status="valid" time="0.15" steps="50"/></proof>
+    <proof prover="4"><result status="valid" time="0.21" steps="50"/></proof>
     </goal>
    </transf>
    </goal>
   </transf>
   </goal>
   <goal name="interp_instruction&#39;vc.175" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.07" steps="56"/></proof>
+  <proof prover="4"><result status="valid" time="0.17" steps="56"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.176" expl="exceptional postcondition" proved="true">
   <transf name="subst_all" proved="true" >
    <goal name="interp_instruction&#39;vc.176.0" expl="exceptional postcondition" proved="true">
    <transf name="apply" proved="true" arg1="eval_foreach" arg2="with" arg3="(sem_context sta),(sem_state sta3),ss,(contents (result sta))">
     <goal name="interp_instruction&#39;vc.176.0.0" expl="apply premises" proved="true">
-    <proof prover="0" timelimit="5"><result status="valid" time="0.15" steps="65553"/></proof>
+    <proof prover="0" timelimit="5"><result status="valid" time="0.18" steps="66029"/></proof>
     </goal>
     <goal name="interp_instruction&#39;vc.176.0.1" expl="apply premises" proved="true">
     <transf name="replace" proved="true" arg1="ss" arg2="(take i ss ++ Cons (nth i ss) (drop (i+1) ss))">
      <goal name="interp_instruction&#39;vc.176.0.1.0" expl="apply premises" proved="true">
-     <proof prover="4"><result status="valid" time="0.25" steps="140"/></proof>
+     <proof prover="4"><result status="valid" time="0.28" steps="140"/></proof>
      </goal>
      <goal name="interp_instruction&#39;vc.176.0.1.1" expl="equality hypothesis" proved="true">
      <proof prover="4"><result status="valid" time="0.13" steps="50"/></proof>
@@ -608,7 +608,7 @@
     </transf>
     </goal>
     <goal name="interp_instruction&#39;vc.176.0.2" expl="apply premises" proved="true">
-    <proof prover="4"><result status="valid" time="0.16" steps="50"/></proof>
+    <proof prover="4"><result status="valid" time="0.19" steps="50"/></proof>
     </goal>
    </transf>
    </goal>
@@ -619,99 +619,99 @@
    <goal name="interp_instruction&#39;vc.177.0" expl="exceptional postcondition" proved="true">
    <transf name="apply" proved="true" arg1="eval_foreach" arg2="with" arg3="(sem_context sta),(sem_state sta3),ss,(contents (result sta))">
     <goal name="interp_instruction&#39;vc.177.0.0" expl="apply premises" proved="true">
-    <proof prover="0" timelimit="5"><result status="valid" time="0.16" steps="65553"/></proof>
+    <proof prover="0" timelimit="5"><result status="valid" time="0.27" steps="66029"/></proof>
     </goal>
     <goal name="interp_instruction&#39;vc.177.0.1" expl="apply premises" proved="true">
     <transf name="replace" proved="true" arg1="ss" arg2="(take i ss ++ Cons (nth i ss) (drop (i+1) ss))">
      <goal name="interp_instruction&#39;vc.177.0.1.0" expl="apply premises" proved="true">
-     <proof prover="4"><result status="valid" time="0.22" steps="140"/></proof>
+     <proof prover="4"><result status="valid" time="0.27" steps="140"/></proof>
      </goal>
      <goal name="interp_instruction&#39;vc.177.0.1.1" expl="equality hypothesis" proved="true">
-     <proof prover="4"><result status="valid" time="0.11" steps="50"/></proof>
+     <proof prover="4"><result status="valid" time="0.13" steps="50"/></proof>
      </goal>
     </transf>
     </goal>
     <goal name="interp_instruction&#39;vc.177.0.2" expl="apply premises" proved="true">
-    <proof prover="4"><result status="valid" time="0.12" steps="50"/></proof>
+    <proof prover="4"><result status="valid" time="0.16" steps="50"/></proof>
     </goal>
    </transf>
    </goal>
   </transf>
   </goal>
   <goal name="interp_instruction&#39;vc.178" expl="unreachable point" proved="true">
-  <proof prover="4"><result status="valid" time="0.15" steps="46"/></proof>
+  <proof prover="4"><result status="valid" time="0.14" steps="46"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.179" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.18" steps="42"/></proof>
+  <proof prover="4"><result status="valid" time="0.17" steps="42"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.180" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.48" steps="210"/></proof>
+  <proof prover="4"><result status="valid" time="0.57" steps="210"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.181" expl="out of loop bounds" proved="true">
-  <proof prover="4"><result status="valid" time="0.21" steps="40"/></proof>
+  <proof prover="0"><result status="valid" time="0.26" steps="69449"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.182" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.21" steps="67"/></proof>
+  <proof prover="4"><result status="valid" time="0.20" steps="67"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.183" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.09" steps="24"/></proof>
+  <proof prover="0"><result status="valid" time="0.29" steps="68663"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.184" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.07" steps="24"/></proof>
+  <proof prover="4"><result status="valid" time="0.10" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.185" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.13" steps="27"/></proof>
+  <proof prover="4"><result status="valid" time="0.17" steps="27"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.186" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.18" steps="30"/></proof>
+  <proof prover="4"><result status="valid" time="0.06" steps="30"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.187" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.12" steps="30"/></proof>
+  <proof prover="4"><result status="valid" time="0.10" steps="30"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.188" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.13" steps="38"/></proof>
+  <proof prover="4"><result status="valid" time="0.18" steps="38"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.189" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.11" steps="68718"/></proof>
+  <proof prover="4"><result status="valid" time="0.09" steps="38"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.190" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.12" steps="46"/></proof>
+  <proof prover="4"><result status="valid" time="0.08" steps="46"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.191" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.29" steps="72070"/></proof>
+  <proof prover="4"><result status="valid" time="0.16" steps="47"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.192" expl="loop invariant preservation" proved="true">
-  <proof prover="4" timelimit="10" memlimit="4000"><result status="valid" time="2.91" steps="1034"/></proof>
+  <proof prover="4" timelimit="10" memlimit="4000"><result status="valid" time="2.78" steps="1034"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.193" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.13" steps="44"/></proof>
+  <proof prover="4"><result status="valid" time="0.17" steps="44"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.194" expl="exceptional postcondition" proved="true">
   <transf name="subst_all" proved="true" >
    <goal name="interp_instruction&#39;vc.194.0" expl="exceptional postcondition" proved="true">
    <transf name="apply" proved="true" arg1="eval_while_abort" arg2="with" arg3="ctr,last_result">
     <goal name="interp_instruction&#39;vc.194.0.0" expl="apply premises" proved="true">
-    <proof prover="0" timelimit="5"><result status="valid" time="0.28" steps="73363"/></proof>
+    <proof prover="0" timelimit="5"><result status="valid" time="0.24" steps="73911"/></proof>
     </goal>
     <goal name="interp_instruction&#39;vc.194.0.1" expl="apply premises" proved="true">
-    <proof prover="4"><result status="valid" time="0.82" steps="235"/></proof>
+    <proof prover="4"><result status="valid" time="0.84" steps="235"/></proof>
     </goal>
    </transf>
    </goal>
   </transf>
   </goal>
   <goal name="interp_instruction&#39;vc.195" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.09" steps="44"/></proof>
+  <proof prover="0"><result status="valid" time="0.15" steps="69391"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.196" expl="exceptional postcondition" proved="true">
   <transf name="subst_all" proved="true" >
    <goal name="interp_instruction&#39;vc.196.0" expl="exceptional postcondition" proved="true">
    <transf name="apply" proved="true" arg1="eval_while_abort" arg2="with" arg3="ctr,last_result">
     <goal name="interp_instruction&#39;vc.196.0.0" expl="apply premises" proved="true">
-    <proof prover="0" timelimit="5"><result status="valid" time="0.21" steps="73617"/></proof>
+    <proof prover="0" timelimit="5"><result status="valid" time="0.25" steps="74165"/></proof>
     </goal>
     <goal name="interp_instruction&#39;vc.196.0.1" expl="apply premises" proved="true">
-    <proof prover="4"><result status="valid" time="0.79" steps="235"/></proof>
+    <proof prover="4"><result status="valid" time="0.81" steps="235"/></proof>
     </goal>
    </transf>
    </goal>
@@ -722,61 +722,61 @@
    <goal name="interp_instruction&#39;vc.197.0" expl="exceptional postcondition" proved="true">
    <transf name="apply" proved="true" arg1="eval_while_abort" arg2="with" arg3="ctr,last_result">
     <goal name="interp_instruction&#39;vc.197.0.0" expl="apply premises" proved="true">
-    <proof prover="0" timelimit="5"><result status="valid" time="0.26" steps="73368"/></proof>
+    <proof prover="0" timelimit="5"><result status="valid" time="0.25" steps="73916"/></proof>
     </goal>
     <goal name="interp_instruction&#39;vc.197.0.1" expl="apply premises" proved="true">
-    <proof prover="4"><result status="valid" time="0.93" steps="242"/></proof>
+    <proof prover="4"><result status="valid" time="0.91" steps="242"/></proof>
     </goal>
    </transf>
    </goal>
   </transf>
   </goal>
   <goal name="interp_instruction&#39;vc.198" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.29" steps="68817"/></proof>
+  <proof prover="4"><result status="valid" time="0.20" steps="40"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.199" expl="postcondition" proved="true">
   <transf name="subst_all" proved="true" >
    <goal name="interp_instruction&#39;vc.199.0" expl="postcondition" proved="true">
    <transf name="apply" proved="true" arg1="eval_while" arg2="with" arg3="(sem_context sta1),ctr,(!(sta.result))">
     <goal name="interp_instruction&#39;vc.199.0.0" expl="apply premises" proved="true">
-    <proof prover="0"><result status="valid" time="0.42" steps="87484"/></proof>
+    <proof prover="0"><result status="valid" time="0.40" steps="88036"/></proof>
     </goal>
     <goal name="interp_instruction&#39;vc.199.0.1" expl="apply premises" proved="true">
-    <proof prover="0"><result status="valid" time="0.33" steps="80083"/></proof>
+    <proof prover="0"><result status="valid" time="0.32" steps="80631"/></proof>
     </goal>
    </transf>
    </goal>
   </transf>
   </goal>
   <goal name="interp_instruction&#39;vc.200" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.07" steps="36"/></proof>
+  <proof prover="4" timelimit="5"><result status="valid" time="0.25" steps="36"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.201" expl="exceptional postcondition" proved="true">
   <transf name="subst_all" proved="true" >
    <goal name="interp_instruction&#39;vc.201.0" expl="exceptional postcondition" proved="true">
    <transf name="apply" proved="true" arg1="eval_while_abort" arg2="with" arg3="ctr,last_result">
     <goal name="interp_instruction&#39;vc.201.0.0" expl="apply premises" proved="true">
-    <proof prover="0" timelimit="5"><result status="valid" time="0.22" steps="73157"/></proof>
+    <proof prover="0" timelimit="5"><result status="valid" time="0.25" steps="73705"/></proof>
     </goal>
     <goal name="interp_instruction&#39;vc.201.0.1" expl="apply premises" proved="true">
-    <proof prover="4"><result status="valid" time="0.42" steps="148"/></proof>
+    <proof prover="4"><result status="valid" time="0.50" steps="148"/></proof>
     </goal>
    </transf>
    </goal>
   </transf>
   </goal>
   <goal name="interp_instruction&#39;vc.202" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.10" steps="36"/></proof>
+  <proof prover="4"><result status="valid" time="0.13" steps="36"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.203" expl="exceptional postcondition" proved="true">
   <transf name="subst_all" proved="true" >
    <goal name="interp_instruction&#39;vc.203.0" expl="exceptional postcondition" proved="true">
    <transf name="apply" proved="true" arg1="eval_while_abort" arg2="with" arg3="ctr,last_result">
     <goal name="interp_instruction&#39;vc.203.0.0" expl="apply premises" proved="true">
-    <proof prover="0" timelimit="5"><result status="valid" time="0.23" steps="73411"/></proof>
+    <proof prover="0" timelimit="5"><result status="valid" time="0.25" steps="73959"/></proof>
     </goal>
     <goal name="interp_instruction&#39;vc.203.0.1" expl="apply premises" proved="true">
-    <proof prover="4"><result status="valid" time="0.44" steps="150"/></proof>
+    <proof prover="4"><result status="valid" time="0.46" steps="150"/></proof>
     </goal>
    </transf>
    </goal>
@@ -787,7 +787,7 @@
    <goal name="interp_instruction&#39;vc.204.0" expl="exceptional postcondition" proved="true">
    <transf name="apply" proved="true" arg1="eval_while_abort" arg2="with" arg3="ctr,last_result">
     <goal name="interp_instruction&#39;vc.204.0.0" expl="apply premises" proved="true">
-    <proof prover="0" timelimit="5"><result status="valid" time="0.24" steps="73162"/></proof>
+    <proof prover="0" timelimit="5"><result status="valid" time="0.22" steps="73710"/></proof>
     </goal>
     <goal name="interp_instruction&#39;vc.204.0.1" expl="apply premises" proved="true">
     <proof prover="4"><result status="valid" time="0.35" steps="152"/></proof>
@@ -797,46 +797,46 @@
   </transf>
   </goal>
   <goal name="interp_instruction&#39;vc.205" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.28" steps="68185"/></proof>
+  <proof prover="0"><result status="valid" time="0.27" steps="68661"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.206" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.07" steps="24"/></proof>
+  <proof prover="4"><result status="valid" time="0.13" steps="24"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.207" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.21" steps="50"/></proof>
+  <proof prover="0"><result status="valid" time="0.31" steps="69414"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.208" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.69" steps="79603"/></proof>
+  <proof prover="4"><result status="valid" time="0.48" steps="236"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.209" expl="exceptional postcondition" proved="true">
   <proof prover="4"><result status="valid" time="0.20" steps="50"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.210" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.42" steps="234"/></proof>
+  <proof prover="4"><result status="valid" time="0.50" steps="237"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.211" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.37" steps="68707"/></proof>
+  <proof prover="4"><result status="valid" time="0.10" steps="42"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.212" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.17" steps="123"/></proof>
+  <proof prover="4"><result status="valid" time="0.31" steps="127"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.213" expl="exceptional postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.12" steps="68707"/></proof>
+  <proof prover="4"><result status="valid" time="0.17" steps="42"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.214" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.30" steps="125"/></proof>
+  <proof prover="4"><result status="valid" time="0.30" steps="131"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.215" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.16" steps="38"/></proof>
+  <proof prover="4"><result status="valid" time="0.19" steps="38"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.216" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.86" steps="518"/></proof>
+  <proof prover="4"><result status="valid" time="0.54" steps="391"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.217" expl="exceptional postcondition" proved="true">
-  <proof prover="4" timelimit="5"><result status="valid" time="0.25" steps="40"/></proof>
+  <proof prover="4"><result status="valid" time="0.29" steps="113"/></proof>
   </goal>
   <goal name="interp_instruction&#39;vc.218" expl="exceptional postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.18" steps="30"/></proof>
+  <proof prover="4"><result status="valid" time="0.19" steps="30"/></proof>
   </goal>
  </transf>
  </goal>
@@ -846,40 +846,40 @@
  <goal name="interp_list_expr&#39;vc" expl="VC for interp_list_expr" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="interp_list_expr&#39;vc.0" expl="postcondition" proved="true">
-  <proof prover="0" timelimit="5"><result status="valid" time="0.26" steps="68178"/></proof>
+  <proof prover="0"><result status="valid" time="0.24" steps="68654"/></proof>
   </goal>
   <goal name="interp_list_expr&#39;vc.1" expl="postcondition" proved="true">
-  <proof prover="0" timelimit="5"><result status="valid" time="0.20" steps="68179"/></proof>
+  <proof prover="0" timelimit="5"><result status="valid" time="0.15" steps="68655"/></proof>
   </goal>
   <goal name="interp_list_expr&#39;vc.2" expl="postcondition" proved="true">
-  <proof prover="0" timelimit="5"><result status="valid" time="0.21" steps="73905"/></proof>
+  <proof prover="0" timelimit="5"><result status="valid" time="0.37" steps="74453"/></proof>
   </goal>
   <goal name="interp_list_expr&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="0" timelimit="5"><result status="valid" time="0.23" steps="68222"/></proof>
+  <proof prover="0" timelimit="5"><result status="valid" time="0.35" steps="68698"/></proof>
   </goal>
   <goal name="interp_list_expr&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="0" timelimit="5"><result status="valid" time="0.15" steps="68225"/></proof>
+  <proof prover="0" timelimit="5"><result status="valid" time="0.23" steps="68701"/></proof>
   </goal>
   <goal name="interp_list_expr&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="0" timelimit="5"><result status="valid" time="0.19" steps="68443"/></proof>
+  <proof prover="0" timelimit="5"><result status="valid" time="0.26" steps="68919"/></proof>
   </goal>
   <goal name="interp_list_expr&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="0" timelimit="5"><result status="valid" time="0.15" steps="68446"/></proof>
+  <proof prover="0" timelimit="5"><result status="valid" time="0.29" steps="68922"/></proof>
   </goal>
   <goal name="interp_list_expr&#39;vc.7" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.24" steps="68662"/></proof>
+  <proof prover="0" timelimit="5"><result status="valid" time="0.19" steps="69138"/></proof>
   </goal>
   <goal name="interp_list_expr&#39;vc.8" expl="postcondition" proved="true">
-  <proof prover="0" timelimit="5"><result status="valid" time="0.29" steps="71718"/></proof>
+  <proof prover="0" timelimit="5"><result status="valid" time="0.30" steps="72266"/></proof>
   </goal>
   <goal name="interp_list_expr&#39;vc.9" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.27" steps="71199"/></proof>
+  <proof prover="0" timelimit="5"><result status="valid" time="0.21" steps="71747"/></proof>
   </goal>
   <goal name="interp_list_expr&#39;vc.10" expl="exceptional postcondition" proved="true">
-  <proof prover="0" timelimit="5"><result status="valid" time="0.30" steps="68455"/></proof>
+  <proof prover="0"><result status="valid" time="0.27" steps="69019"/></proof>
   </goal>
   <goal name="interp_list_expr&#39;vc.11" expl="exceptional postcondition" proved="true">
-  <proof prover="0" timelimit="5"><result status="valid" time="0.35" steps="68196"/></proof>
+  <proof prover="0" timelimit="5"><result status="valid" time="0.15" steps="68760"/></proof>
   </goal>
  </transf>
  </goal>
diff --git a/src/concrete/interpreter/why3shapes.gz b/src/concrete/interpreter/why3shapes.gz
index 6182b91c..c959bad5 100644
Binary files a/src/concrete/interpreter/why3shapes.gz and b/src/concrete/interpreter/why3shapes.gz differ
diff --git a/src/concrete/semantics.mlw b/src/concrete/semantics.mlw
index d641a898..b3a03889 100644
--- a/src/concrete/semantics.mlw
+++ b/src/concrete/semantics.mlw
@@ -32,20 +32,6 @@ module Behaviour
     | BIncomplete, BIncomplete ->  True
     | _ -> False
     end
-
-  (* let function behaviour (under_condition res:bool) : behaviour *)
-  (*   ensures { result = BNormal \/ result = BExit } *)
-  (*   returns { *)
-  (*     | BNormal -> *)
-  (*       under_condition = True \/ res = True *)
-  (*     | BExit -> *)
-  (*       under_condition = False /\ res = False *)
-  (*     | BReturn | BIncomplete -> *)
-  (*       false *)
-  (*   } *)
-  (* = if andb (strict under_condition) (notb res) *)
-  (*   then BExit *)
-  (*   else BNormal *)
 end
 
 (** {2 Stdin and stdout buffers} *)
@@ -159,7 +145,6 @@ module Buffers
       | Cons l ls -> concat_empty_left {line=l; lines=ls}
       end
 
-
     let rec lemma concat_empty_right (out:t)
       variant { out.lines }
       ensures {
@@ -252,9 +237,14 @@ end
 
 module Env
 
+  use option.Option
   use syntax.Identifier
   use map.Map as M
 
+  (** A partial environment *)
+  type env0 'a = abstract { to_map0 : M.map identifier (option 'a) }
+
+  (** A total environment with default *)
   type env 'a = abstract { to_map : M.map identifier 'a; default: 'a }
   meta coercion function to_map
 
@@ -315,26 +305,34 @@ module Arguments
     shift_arguments n args = None
 end
 
-(** {2 Concrete semantics of the CoLiS language} *)
-module Semantics
+module Path
+
+  use list.List
+
+  (** abstract type for filenames (excluding "." and ".."), named
+      "feature" in the tree constraint vocabulary *)
+  type feature
+
+  type normalized_path
+
+  val constant default_cwd : normalized_path
+
+  (** For `cd`: append `s` to `p` if `s` is relative or just `s` as path if it is absolute *)
+  val function absolute_or_concat_relative (p:normalized_path) (s:string) : normalized_path
+
+  val function normalized_path_to_string (p:normalized_path) : string
+end
+
+(** {2 Concrete evaluation context} *)
+module Context
 
-  use int.Int
   use list.List
-  use list.Append
   use option.Option
-  use bool.Bool
 
   use string.String
   use syntax.Syntax
-
-  use auxiliaries.OptionGet
-  use Result
-  use Arguments
-  use Behaviour
-  use Buffers
-  use Config
-  use Input
-  use import Env as E
+  use Path
+  use Env
 
   (** {3 The concrete evaluation context}
 
@@ -366,16 +364,6 @@ module Semantics
   let constant empty_func_env : func_env =
     empty_env None
 
-  type normalized_path = list string
-
-  let constant default_cwd : normalized_path = Nil
-
-  (** For `cd` *)
-  (** Append `s` to `p` if `s` is relative or just `s` as path if it is absolute *)
-  val function absolute_or_concat_relative (p:normalized_path) (s:string) : normalized_path
-
-  val function normalized_path_to_string (p:normalized_path) : string
-
   let constant identifier_test = identifier_of_string "test"
   let constant identifier_pwd = identifier_of_string "PWD"
 
@@ -403,12 +391,47 @@ module Semantics
     result = True;
   }
 
-  val function filter_var_env (env:var_env) : env string
+  val function filter_var_env (env:var_env) : env0 string
   (** A specification is not required because the result is not used inside the language
       but only in utilities which are not specified. *)
   (* ensures { forall x s. *)
   (*   env[x] = {value=Some s; exported=True} <-> result[x] = s *)
   (* } *)
+end (* Context *)
+
+module Semantics
+  use bool.Bool
+  use int.Int
+  use list.Append
+  use list.List
+  use option.Option
+
+  use auxiliaries.OptionGet
+  use syntax.Identifier
+  use syntax.Syntax
+
+  use Arguments
+  use Behaviour
+  use Buffers
+  use Config
+  use Context as Context
+  use Env
+  use Input
+  use Path
+  use Result
+
+  type utility_context = {
+    cwd: normalized_path;
+    env: env0 string;
+    args: list string
+  }
+
+  let function utility_context args ctx = {
+    cwd = ctx.Context.cwd;
+    env = Context.filter_var_env ctx.Context.var_env;
+    args = args
+  }
+  use Context
 
   (** {3 Evaluation state}
 
@@ -427,14 +450,11 @@ module Semantics
     log: stdout; (** Combines stdout with utility traces and error messages *)
   }
 
-  type utility_context = (normalized_path, env string, list string)
-
-  (** Interprete a command defined in the document *Specification of UNIX Commands*. *)
-  val function interp_utility utility_context identifier state : (state, result bool)
+  predicate interp_utility (utility_context, identifier, state) (state, result bool)
 
-  axiom interp_utility_extends_output : forall ctx id sta sta' r.
-    interp_utility ctx id {sta with stdout=Stdout.empty} = (sta', r) ->
-    interp_utility ctx id sta = ({sta' with stdout=Stdout.concat sta.stdout sta'.stdout}, r)
+  axiom interp_utility_extends_output : forall ctx id sta sta1 b.
+    interp_utility (ctx, id, {sta with stdout=Stdout.empty}) (sta1, b) ->
+    interp_utility (ctx, id, sta) ({sta with stdout=Stdout.concat sta.stdout sta1.stdout}, b)
 
   let function bool_of_return_code (c:return_code) (previous:bool) : bool =
     match c with
@@ -462,10 +482,10 @@ module Semantics
   (* Reexport mixfix operators. *)
 
   let function ([]) (e:env 'a) (id:identifier) : 'a =
-    E.(e[id])
+    Env.(e[id])
 
   let function ([<-]) (e:env 'a) (id:identifier) (value:'a) : env 'a =
-    E.(e[id <- value])
+    Env.(e[id <- value])
 
   (** Define mixfix operators for variable environments that retain or ignore the
       export_state flag in the environment variable. *)
@@ -522,15 +542,17 @@ module Semantics
   | eval_cd_incomplete : forall stk inp ctx sta se sta1 s _b sta2.
     eval_str_expr stk True (inp, ctx, sta) se (sta1, Ok (s, _b)) ->
     (* `test -d (CWD/)s` *)
-    let cwd_p = absolute_or_concat_relative ctx.cwd s in
-    interp_utility (ctx.cwd, filter_var_env ctx.var_env, Cons "-d" (Cons (normalized_path_to_string cwd_p) Nil)) identifier_test sta1 = (sta2, Incomplete) ->
+    let cwd_p = absolute_or_concat_relative ctx.Context.cwd s in
+    let args = Cons "-d" (Cons (normalized_path_to_string cwd_p) Nil) in
+    interp_utility (utility_context args ctx, identifier_test, sta1) (sta2, Incomplete) ->
     eval_instruction stk (inp, ctx, sta) (ICd se) (sta2, ctx, BIncomplete)
 
   | eval_cd_no_dir : forall stk inp ctx sta se sta1 s _b sta2.
     eval_str_expr stk True (inp, ctx, sta) se (sta1, Ok (s, _b)) ->
     (* `test -d (CWD/)s` *)
-    let cwd_p = absolute_or_concat_relative ctx.cwd s in
-    interp_utility (ctx.cwd, filter_var_env ctx.var_env, Cons "-d" (Cons (normalized_path_to_string cwd_p) Nil)) identifier_test sta1 = (sta2, Ok False) ->
+    let cwd_p = absolute_or_concat_relative ctx.Context.cwd s in
+    let args = Cons "-d" (Cons (normalized_path_to_string cwd_p) Nil) in
+    interp_utility (utility_context args ctx, identifier_test, sta1) (sta2, Ok False) ->
     let ctx1 = {ctx with result = False} in
     let bhv = behaviour inp False in
     eval_instruction stk (inp, ctx, sta) (ICd se) (sta2, ctx1, bhv)
@@ -538,9 +560,10 @@ module Semantics
   | eval_cd : forall stk inp ctx sta se sta1 s _b sta2.
     eval_str_expr stk True (inp, ctx, sta) se (sta1, Ok (s, _b)) ->
     (* `test -d (CWD/)s` *)
-    let cwd_p = absolute_or_concat_relative ctx.cwd s in
-    interp_utility (ctx.cwd, filter_var_env ctx.var_env, Cons "-d" (Cons (normalized_path_to_string cwd_p) Nil)) identifier_test sta1 = (sta2, Ok True) ->
-    let ctx1 = {ctx with result = True; var_env = ctx.var_env[identifier_pwd <- normalized_path_to_string cwd_p]'; cwd = cwd_p} in
+    let cwd_p = absolute_or_concat_relative ctx.Context.cwd s in
+    let args = Cons "-d" (Cons (normalized_path_to_string cwd_p) Nil) in
+    interp_utility (utility_context args ctx, identifier_test, sta1) (sta2, Ok True) ->
+    let ctx1 = {ctx with result = True; var_env = ctx.var_env[identifier_pwd <- normalized_path_to_string cwd_p]'; Context.cwd = cwd_p} in
     let bhv = behaviour inp True in
     eval_instruction stk (inp, ctx, sta) (ICd se) (sta2, ctx1, bhv)
 
@@ -631,12 +654,12 @@ module Semantics
   
   | eval_call_utility_incomplete: forall stk inp ctx sta sta' sta'' id es ss.
     eval_list_expr stk (inp, ctx, sta) es (sta', Ok ss) ->
-    interp_utility (ctx.cwd, filter_var_env ctx.var_env, ss) id sta' = (sta'', Incomplete) ->
+    interp_utility (utility_context ss ctx, id, sta') (sta'', Incomplete) ->
     eval_instruction stk (inp, ctx, sta) (ICallUtility id es) (sta'', ctx, BIncomplete)
 
   | eval_call_utility: forall stk inp ctx sta sta' sta'' id es ss b.
     eval_list_expr stk (inp, ctx, sta) es (sta', Ok ss) ->
-    interp_utility (ctx.cwd, filter_var_env ctx.var_env, ss) id sta' = (sta'', Ok b) ->
+    interp_utility (utility_context ss ctx, id, sta') (sta'', Ok b) ->
     let ctx' = {ctx with result=b} in
     let bhv = behaviour inp b in
     eval_instruction stk (inp, ctx, sta) (ICallUtility id es) (sta'', ctx', bhv)
diff --git a/src/concrete/semantics/why3session.xml b/src/concrete/semantics/why3session.xml
index 3504f4ca..a7f18a9a 100644
--- a/src/concrete/semantics/why3session.xml
+++ b/src/concrete/semantics/why3session.xml
@@ -169,13 +169,15 @@
  </transf>
  </goal>
 </theory>
-<theory name="Semantics" proved="true">
+<theory name="Context" proved="true">
  <goal name="add_var_bindings&#39;vc" expl="VC for add_var_bindings" proved="true">
- <proof prover="5"><result status="valid" time="0.02" steps="83"/></proof>
+ <proof prover="1" timelimit="1" memlimit="1000"><result status="valid" time="0.06" steps="18917"/></proof>
  </goal>
  <goal name="same_context" proved="true">
- <proof prover="5"><result status="valid" time="0.03" steps="28"/></proof>
+ <proof prover="1" timelimit="1" memlimit="1000"><result status="valid" time="0.06" steps="16802"/></proof>
  </goal>
+</theory>
+<theory name="Semantics" proved="true">
  <goal name="no_while_incomplete&#39;vc" expl="VC for no_while_incomplete" proved="true">
  <proof prover="5" timelimit="10"><result status="valid" time="1.02" steps="449"/></proof>
  </goal>
@@ -186,7 +188,7 @@
  <proof prover="5"><result status="valid" time="0.21" steps="143"/></proof>
  </goal>
  <goal name="eval_foreach_concat&#39;vc" expl="VC for eval_foreach_concat" proved="true">
- <proof prover="5" timelimit="10"><result status="valid" time="3.24" steps="970"/></proof>
+ <proof prover="5" timelimit="10"><result status="valid" time="2.60" steps="970"/></proof>
  </goal>
  <goal name="eval_foreach_last&#39;vc" expl="VC for eval_foreach_last" proved="true">
  <transf name="split_vc" proved="true" >
@@ -195,15 +197,15 @@
    <goal name="eval_foreach_last&#39;vc.0.0" expl="postcondition" proved="true">
    <transf name="split_vc" proved="true" >
     <goal name="eval_foreach_last&#39;vc.0.0.0" expl="postcondition" proved="true">
-    <proof prover="5" timelimit="10" memlimit="4000"><result status="valid" time="2.21" steps="719"/></proof>
+    <proof prover="5" timelimit="10" memlimit="4000"><result status="valid" time="1.77" steps="719"/></proof>
     </goal>
    </transf>
    </goal>
    <goal name="eval_foreach_last&#39;vc.0.1" expl="postcondition" proved="true">
-   <proof prover="5"><result status="valid" time="0.07" steps="26"/></proof>
+   <proof prover="5"><result status="valid" time="0.13" steps="26"/></proof>
    </goal>
    <goal name="eval_foreach_last&#39;vc.0.2" expl="postcondition" proved="true">
-   <proof prover="5"><result status="valid" time="0.27" steps="44"/></proof>
+   <proof prover="5"><result status="valid" time="0.24" steps="44"/></proof>
    </goal>
   </transf>
   </goal>
@@ -213,10 +215,10 @@
    <proof prover="5"><result status="valid" time="0.09" steps="39"/></proof>
    </goal>
    <goal name="eval_foreach_last&#39;vc.1.1" expl="postcondition" proved="true">
-   <proof prover="5"><result status="valid" time="0.11" steps="26"/></proof>
+   <proof prover="5"><result status="valid" time="0.13" steps="26"/></proof>
    </goal>
    <goal name="eval_foreach_last&#39;vc.1.2" expl="postcondition" proved="true">
-   <proof prover="5"><result status="valid" time="0.43" steps="115"/></proof>
+   <proof prover="5"><result status="valid" time="0.27" steps="115"/></proof>
    </goal>
   </transf>
   <transf name="split_vc" proved="true" >
diff --git a/src/concrete/semantics/why3shapes.gz b/src/concrete/semantics/why3shapes.gz
index 6ca41a73..ce752958 100644
Binary files a/src/concrete/semantics/why3shapes.gz and b/src/concrete/semantics/why3shapes.gz differ
diff --git a/src/concrete/utilities.ml b/src/concrete/utilities.ml
index 187652b2..411c92e8 100644
--- a/src/concrete/utilities.ml
+++ b/src/concrete/utilities.ml
@@ -8,9 +8,7 @@ open Semantics__Result
 open Semantics__Buffers
 open Interpreter__Semantics
 
-module IdMap = Env.IdMap
-
-type env = string IdMap.t
+type env = string Env.SMap.t
 
 let incomplete ~utility msg = fun sta ->
   let str = utility ^ ": " ^ msg in
@@ -42,7 +40,7 @@ let dpkg_compare_versions args =
 let dpkg_validate_thing subcmd arg =
   Sys.command ("dpkg " ^ subcmd ^ " " ^arg) = 0
 
-let interp_utility (_cwd, var_env, args) id sta =
+let interp_utility ({env; args; _}, id, sta) =
   match id with
   | "echo" ->
      let stdout =
@@ -69,7 +67,7 @@ let interp_utility (_cwd, var_env, args) id sta =
       let print_line sta line =
         {sta with stdout=Stdout.(sta.stdout |> output line |> newline)}
       in
-      IdMap.bindings var_env |>
+      Env.SMap.bindings env |>
       List.map format_line |>
       List.fold_left print_line sta, Ok true
     | _arg :: _ ->
diff --git a/src/symbolic/driver.drv b/src/symbolic/driver.drv
index 220d850d..819185c7 100644
--- a/src/symbolic/driver.drv
+++ b/src/symbolic/driver.drv
@@ -1,21 +1,3 @@
-module symbolicInterpreter.Constraints
-  syntax type clause "Colis_constraints.Clause.sat_conj"
-  syntax type variable "Colis_constraints.Var.t"
-  syntax type feature "Colis_constraints.Feat.t"
-  syntax type path "Colis_constraints.Path.t"
-end
-
-module symbolicInterpreter.Semantics
-  syntax val filter_var_env "Env.filter_var_env (fun v -> v.SymbolicInterpreter__Semantics.exported) (fun v -> v.SymbolicInterpreter__Semantics.value) %1"
-  syntax val interp_utility "assert false"
-  syntax val absolute_or_concat_relative "Colis_constraints.(List.map Feat.to_string (Path.normalize ~cwd:(List.map Feat.from_string %1) (Path.from_string %2)))"
-  syntax val normalized_path_to_string "Colis_constraints.(Path.normal_to_string (List.map Feat.from_string %1))"
-end
-
-module symbolicInterpreter.Interpreter
-  syntax val sym_interp_utility "BatSet.to_list (SymbolicUtility.dispatch' %1 %2 %3)"
-end
-
 module collection.Collection
   syntax type t "%1 list"
   syntax val mem "List.mem %1 %2"
diff --git a/src/symbolic/symbolicInterpreter.mlw b/src/symbolic/symbolicInterpreter.mlw
index 9c6f5082..50dbf00e 100644
--- a/src/symbolic/symbolicInterpreter.mlw
+++ b/src/symbolic/symbolicInterpreter.mlw
@@ -1,1324 +1,1278 @@
-module Constraints
-
-  type variable
-  (** abstract type for variables denoting nodes in the file system *)
-
-  type feature
-  (** abstract type for filenames (excluding "." and ".."), named
-      "feature" in the tree constraint vocabulary *)
-
-  type clause
-  (** abstract type for tree constraints, [IMPORTANT] which are always satisfiable *)
-
-  type path
-end
-
-module Filesystem
-  use option.Option
-  use Constraints
-
-  (** A symbolic filesystem composed by a variable indicating root, constraints, and the
-      current working directory `cwd` as feature path. root₀ may refer to the initial root
-      variable. When provided it should not be pruned (“quantified over”) during symbolic
-      execution of utilities. *)
-  type filesystem = {
-    root : variable;
-    clause : clause;
-    root0 : option variable;
-  }
-end
-
-module Semantics
-  use list.List
-  use Filesystem
-  use Constraints
-
-  (* Instantiate the concrete semantics with the symbolic filesystem *)
-  clone export semantics.Semantics with
-    type filesystem = filesystem,
-    axiom interp_utility_extends_output
-end
-
-
-module SymState
-
-  use list.List
-  use Semantics
-
-  (** A symbolic state combines a concrete context and a program state as defined in the
-      semantics with a filesystem using feature constraints. *)
-  type sym_state 'a = {
-    context: context;
-    state: state;
-    data: 'a (* Used to fiddle additional information through interp_instr': A stdin in pipe and the last result in the loops *)
-  }
-
-  let function with_data data =
-    fun sta ->
-      {sta with data = data}
-end
-
-(** The symbolic interpretation of a program results describes multiple possible results
-  *)
-module Results
-
-  use set.Fset as Fset
-  use collection.Collection as Cn
-  use list.ListRich as L
-  use semantics.Input
-  use semantics.Behaviour
-  use Semantics
-  use SymState
-
-  (** The results of a symbolic execution is a quadruple of sets of symbolic states, where
-      each components corresponds to a behaviour. *)
-  type t 'a = {
-    normal  : Cn.t (sym_state 'a);
-    exit    : Cn.t (sym_state 'a);
-    return_ : Cn.t (sym_state 'a);
-    failure : Cn.t (sym_state 'a);
-  }
-
-  let constant empty = {
-    normal  = Cn.empty;
-    exit    = Cn.empty;
-    return_ = Cn.empty;
-    failure = Cn.empty;
-  }
-
-  predicate mem (sta:sym_state 'a) (bhv:behaviour) (rs:t 'a) =
-    match bhv with
-    | BNormal  -> Cn.mem sta rs.normal
-    | BExit    -> Cn.mem sta rs.exit
-    | BReturn  -> Cn.mem sta rs.return_
-    | BIncomplete -> Cn.mem sta rs.failure
-    end
-
-  let function map (f:sym_state 'a -> sym_state 'b) (res:t 'a) : t 'b
-    ensures { forall sta bhv. mem sta bhv res -> mem (f sta) bhv result }
-    ensures { forall sta' bhv. mem sta' bhv result -> exists sta. mem sta bhv res /\ sta' = f sta }
-  = { normal  = Cn.map f res.normal;
-      exit    = Cn.map f res.exit;
-      return_ = Cn.map f res.return_;
-      failure = Cn.map f res.failure; }
-
-  let function union (res1 res2: t 'a) : t 'a
-    ensures { forall sta bhv. mem sta bhv res1 -> mem sta bhv result }
-    ensures { forall sta bhv. mem sta bhv res2 -> mem sta bhv result }
-    ensures { forall sta bhv. mem sta bhv result -> mem sta bhv res1 \/ mem sta bhv res2 }
-  = { normal  = Cn.union res1.normal  res2.normal;
-      exit    = Cn.union res1.exit    res2.exit;
-      return_ = Cn.union res1.return_ res2.return_;
-      failure = Cn.union res1.failure res2.failure; }
-
-  lemma union_1: forall sta: sym_state 'a, bhv res1 res2.
-    mem sta bhv res1 -> mem sta bhv (union res1 res2)
-
-  lemma union_2: forall sta: sym_state 'a, bhv res1 res2.
-    mem sta bhv res2 -> mem sta bhv (union res1 res2)
-
-  let rec flatten_list (l: L.list (t 'a)) : t 'a
-    variant { l }
-    ensures { forall res sta bhv. L.mem res l -> mem sta bhv res -> mem sta bhv result }
-    ensures { forall sta bhv. mem sta bhv result -> exists res. L.mem res l /\ mem sta bhv res }
-  = match l with
-    | L.Nil -> empty
-    | L.Cons rs l' ->
-      union rs (flatten_list l')
-    end
-
-  let flatten (c: Cn.t (t 'a)) : t 'a
-    ensures { forall res sta bhv. Cn.mem res c -> mem sta bhv res -> mem sta bhv result }
-    ensures { forall sta bhv. mem sta bhv result -> exists res. Cn.mem res c /\ mem sta bhv res }
-  = flatten_list (Cn.to_list c)
-
-  let bind_collection (f: 'a -> t 'b) (c: Cn.t 'a) : t 'b
-    ensures {
-      forall x sta bhv.
-      Cn.mem x c ->
-      mem sta bhv (f x) ->
-      mem sta bhv result
-    }
-    ensures {
-      forall sta bhv.
-      mem sta bhv result ->
-      exists x.
-      Cn.mem x c /\
-      mem sta bhv (f x)
-    }
-  = flatten (Cn.map f c)
-
-  let separate_normal (res:t 'a) : (normal: Cn.t (sym_state 'a), other: t 'a)
-    ensures { normal = res.normal }
-    ensures { other.normal = Cn.empty }
-    ensures { other.exit = res.exit }
-    ensures { other.return_ = res.return_ }
-    ensures { other.failure = res.failure }
-    ensures { forall s. Cn.mem s normal -> Cn.mem s res.normal }
-    ensures { forall s bhv. mem s bhv other -> bhv <> BNormal /\ mem s bhv res }
-  = res.normal, {res with normal = Cn.empty}
-
-  let function separate_non_failure (res:t 'a) : (Cn.t (sym_state 'a), Cn.t (sym_state 'a))
-    = Cn.(union res.normal (union res.exit res.return_)), res.failure
-
-  let function all_states (res:t 'a) : Cn.t (sym_state 'a) =
-    Cn.(union res.normal (union res.exit (union res.return_ res.failure)))
-
-  let stas_as_failures (ctx:context) (stas:Cn.t state) : t unit
-    ensures { result.normal = Cn.empty }
-    ensures { result.exit = Cn.empty }
-    ensures { result.return_ = Cn.empty }
-    ensures { forall s. Cn.mem s result.failure -> Cn.mem s.state stas /\ s.context=ctx /\ s.data = () }
-    ensures { forall s. Cn.mem s stas -> Cn.mem {state=s; context=ctx; data=()} result.failure }
-  = let aux sta = {state=sta; context=ctx; data=()} in
-    {empty with failure=Cn.map aux stas}
-
-  let function single_behaviour bhv (stas: Cn.t (sym_state 'a)) : t 'a =
-    match bhv with
-    | BNormal -> {empty with normal=stas}
-    | BExit -> {empty with exit=stas}
-    | BReturn -> {empty with return_=stas}
-    | BIncomplete -> {empty with failure=stas}
-    end
-
-  let function inject (inp: input) (stas: Cn.t (sym_state 'a)) : t 'a
-    (* ensures { forall sta bhv. mem sta bhv result <-> Cn.mem sta stas /\ bhv = behaviour inp sta.context.result } *)
-    (* ensures { stas = Cn.union result.normal result.exit by Cn.(stas == union result.normal result.exit) } *)
-    (* ensures { forall s. Cn.mem s result.normal -> Cn.mem s stas /\ behaviour inp s.context.result = BNormal } *)
-    (* ensures { forall s. Cn.mem s result.exit -> Cn.mem s stas /\ behaviour inp s.context.result = BExit } *)
-    (* ensures { result.return_ = Cn.empty } *)
-    (* ensures { result.failure = Cn.empty } *)
-  = let exit, normal = Cn.partition (fun sta -> exit_not_normal inp sta.context.result) stas in
-    (* assert { forall sta. Cn.mem sta exit -> exit_not_normal inp sta.context.result = True }; *)
-    (* assert { forall sta. Cn.mem sta normal -> exit_not_normal inp sta.context.result = False }; *)
-    {empty with normal=normal; exit=exit}
-    (* ensures { forall sta bhv. mem sta bhv result -> Cn.mem sta normal \/ Cn.mem sta exit } *)
-
-  lemma mem_inject: forall res: t 'a, sta bhv inp stas.
-    res = inject inp stas ->
-    (mem sta bhv res <-> Cn.mem sta stas /\ bhv = behaviour inp sta.context.result)
-
-  lemma inject_union: forall res: t 'a, inp stas.
-    res = inject inp stas ->
-    stas = Cn.union res.normal res.exit by
-    Cn.(stas == union res.normal res.exit)
-
-  lemma inject_return_empty: forall res: t 'a, inp stas.
-    res = inject inp stas -> res.return_ = Cn.empty
-
-  lemma inject_failure_empty: forall res: t 'a, inp stas.
-    res = inject inp stas -> res.failure = Cn.empty
-
-  lemma inject_normal_union_exit: forall inp, stas: Cn.t (sym_state 'a).
-    stas = Cn.union (inject inp stas).normal (inject inp stas).exit
-    by Cn.(stas == union (inject inp stas).normal (inject inp stas).exit)
-
-  lemma inject_under_condition_normal: forall res: t 'a, inp stas.
-    res = inject inp stas ->
-    inp.under_condition = True ->
-    res.normal = stas
-    by Cn.(res.normal == stas)
-
-  lemma inject_under_condition_exit: forall inp, stas: Cn.t (sym_state 'a).
-    inp.under_condition = True ->
-    (inject inp stas).exit = Cn.empty
-    by Cn.((inject inp stas).exit == Cn.empty)
-
-  lemma inject_outside_condition_normal: forall inp, stas: Cn.t (sym_state 'a).
-    inp.under_condition = False ->
-    (inject inp stas).normal = Cn.filter (fun sta -> sta.context.result) stas
-    by Cn.((inject inp stas).normal == filter (fun sta -> sta.context.result) stas)
-
-  lemma inject_outside_condition_exit: forall inp, stas: Cn.t (sym_state 'a).
-    inp.under_condition = False ->
-    (inject inp stas).exit = Cn.filter (fun sta -> not sta.context.result) stas
-    by Cn.((inject inp stas).exit == filter (fun sta -> not sta.context.result) stas)
-
-  lemma inject_map: forall f: sym_state 'a -> sym_state 'b, res inp sta sta' bhv stas.
-    res = inject inp (Cn.map f stas) ->
-    sta' = f sta ->
-    bhv = behaviour inp (f sta).context.result ->
-    Cn.mem sta stas ->
-    mem sta' bhv res
-
-  lemma inject_map': forall f: sym_state 'a -> sym_state 'b, res inp sta' bhv stas.
-    res = inject inp (Cn.map f stas) ->
-    mem sta' bhv res ->
-    bhv = behaviour inp sta'.context.result /\
-    exists sta. Cn.mem sta stas /\ sta' = f sta
-
-  lemma union_inject: forall res: t 'a, inp stas.
-    res = inject inp stas ->
-    stas = Cn.union res.normal res.exit
-    by
-    Cn.(stas == union res.normal res.exit)
-
-  lemma mem_union_inject: forall sta: sym_state 'a, bhv inp stas rs.
-    mem sta bhv (union (inject inp stas) rs) <->
-    ((Cn.mem sta stas /\ bhv = behaviour inp sta.context.result) \/
-     mem sta bhv rs)
-
-  lemma mem_union: forall sta bhv, rs1 rs2:t 'a.
-    mem sta bhv (union rs1 rs2) <->
-    (mem sta bhv rs1 \/ mem sta bhv rs2)
-
-  lemma mem_map: forall sta': sym_state 'b, bhv, rs, f: sym_state 'a -> sym_state 'b.
-    mem sta' bhv (map f rs) <->
-    exists sta. mem sta bhv rs /\ sta' = f sta
-
-  lemma failure_union: forall rs1 rs2: t 'a.
-    failure (union rs1 rs2) = Cn.union (failure rs1) (failure rs2)
-
-  lemma mem_mk_results: forall sta: sym_state 'a, bhv normal exit return_ failure.
-    mem sta bhv { normal=normal; exit=exit; return_=return_; failure=failure } <->
-    match bhv with
-    | BNormal  -> Cn.mem sta normal
-    | BExit    -> Cn.mem sta exit
-    | BReturn  -> Cn.mem sta return_
-    | BIncomplete -> Cn.mem sta failure
-    end
-
-  lemma mem_union_results: forall sta: sym_state 'a, bhv rs1 rs2.
-    mem sta bhv (union rs1 rs2) <->
-    (match bhv with
-     | BNormal  -> Cn.mem sta rs1.normal
-     | BExit    -> Cn.mem sta rs1.exit
-     | BReturn  -> Cn.mem sta rs1.return_
-     | BIncomplete -> Cn.mem sta rs1.failure
-     end \/
-     match bhv with
-     | BNormal  -> Cn.mem sta rs2.normal
-     | BExit    -> Cn.mem sta rs2.exit
-     | BReturn  -> Cn.mem sta rs2.return_
-     | BIncomplete -> Cn.mem sta rs2.failure
-     end)
-end
-
 module Interpreter
-
-  use bool.Bool
-  use option.Option
-  use int.Int
-  use list.List
-  use list.ListRich as L
-  use set.Fset
-  use string.OCaml as String
-  use syntax.Syntax
-  use auxiliaries.OptionGet
-  use collection.Collection as Cn
-  use semantics.Result
-  use semantics.Behaviour
-  use semantics.Input
-  use semantics.Config
-  use semantics.Buffers
-  use semantics.Arguments
-  use semantics.Env
-  use Constraints
-  use import Semantics as S
-  use import SymState as St
-  use Results as Rs
-
-  (* Implemented in OCaml *)
-  val function sym_interp_utility (ctx:utility_context) (id:identifier) (sta:state) : Cn.t (state, result bool)
-    ensures {
-      forall res.
-      interp_utility ctx id sta = res <->
-      Cn.mem res result
-    }
-
-  let rec separate_results_list (sta_opts: list ('a, result 'b)) : (results: list ('a, 'b), failures: list 'a)
-    variant { sta_opts }
-    ensures {
-      forall sta x.
-      L.mem (sta, x) results <->
-      L.mem (sta, Ok x) sta_opts
-    }
-    ensures {
-      forall sta.
-      L.mem sta failures <->
-      L.mem (sta, Incomplete) sta_opts
-    }
-  = match sta_opts with
-    | Nil -> Nil, Nil
-    | Cons (sta, opt_x) sta_opts' -> 
-      let results, failures = separate_results_list sta_opts' in
-      match opt_x with
-      | Ok x -> Cons (sta, x) results, failures
-      | Incomplete -> results, Cons sta failures
-      end
-    end
-
-  let separate_results (sta_opts: Cn.t ('a, result 'b)) : (results: Cn.t ('a, 'b), failures: Cn.t 'a)
-    ensures {
-      forall sta x.
-      Cn.mem (sta, x) results <->
-      Cn.mem (sta, Ok x) sta_opts
-    }
-    ensures {
-      forall sta.
-      Cn.mem sta failures <->
-      Cn.mem (sta, Incomplete) sta_opts
-    }
-  = let results, failures = separate_results_list (Cn.to_list sta_opts) in
-    Cn.of_list results, Cn.of_list failures
-
-  let rec function size_instr (ins:instruction) : int
-    variant { ins }
-    ensures { 0 < result }
-  = 1 + match ins with
-    | IReturn _ | IExit _ | IShift _ | IExport _ ->
-      0
-    | INot ins | INoOutput ins | ISubshell ins ->
-      size_instr ins
-    | ICd se | IAssignment _ se  ->
-      size_string_expr se
-    | ICallUtility _ le | ICallFunction _ le ->
-      size_list_expr le
-    | ISequence ins1 ins2 | IPipe ins1 ins2 | IWhile ins1 ins2 ->
-      size_instr ins1 + size_instr ins2
-    | IForeach _ le ins ->
-      size_list_expr le + size_instr ins
-    | IIf ins1 ins2 ins3 ->
-      size_instr ins1 + size_instr ins2 + size_instr ins3
-    end
-  with function size_list_expr (le:list_expression): int
-    variant { le }
-    ensures { 0 < result }
-  = 1 + match le with
-    | Nil -> 0
-    | Cons se_sp le' ->
-      size_pair se_sp + size_list_expr le'
-    end
-  with function size_pair (se_sp: (string_expression, split)) : int
-    variant { se_sp }
-    ensures { 0 < result }
-  = let se, _ = se_sp in
-    size_string_expr se
-  with function size_string_expr (se:string_expression): int
-    variant { se }
-    ensures { 0 < result }
-  = 1 + match se with
-    | SLiteral _
-    | SVariable _
-    | SArgument _ -> 0
-    | SSubshell ins -> size_instr ins
-    | SConcat se1 se2 -> size_string_expr se1 + size_string_expr se2
+  scope MakeSemantics
+    use bool.Bool
+    use int.Int
+    use list.List
+    use list.ListRich as L
+    use option.Option
+    use set.Fset
+    use string.String
+
+    use syntax.Identifier
+    use syntax.Syntax
+    use auxiliaries.OptionGet
+    use collection.Collection as Cn
+    use semantics.Arguments
+    use semantics.Behaviour
+    use semantics.Buffers
+    use semantics.Config
+    use semantics.Context
+    use semantics.Input
+    use semantics.Path
+    use semantics.Result
+
+    scope import Filesystem
+      type filesystem
     end
 
-  let rec lemma size_string_expr_list_expr (le:list_expression)
-    ensures { forall se sp. size_string_expr se < size_list_expr (Cons (se, sp) le) }
-  = match le with
-    | Nil -> ()
-    | Cons _ le' -> size_string_expr_list_expr le'
-    end
+    clone export semantics.Semantics with
+      type filesystem = filesystem,
+      axiom interp_utility_extends_output
 
-  let function flip_result sta
-    ensures { result.state = sta.state }
-    ensures { result.data = sta.data }
-    ensures { result.context = {sta.context with result=notb sta.context.result} }
-  = let result = notb sta.context.result in
-    let context = {sta.context with result=result} in
-    {sta with context=context}
-
-  let function reset_output sta sta' =
-    let sta'' = {sta'.state with stdout = sta.stdout} in
-    {sta' with state = sta''}
-
-  let function assignment_for_str_sta ctx var arg =
-    let sta', (str, result) = arg in
-    let ctx' = {
-      ctx with
-      var_env = ctx.var_env[var <- str]';
-      result = result;
-    }
-    in
-    {state = sta'; context = ctx'; data = ()}
-
-  let rec interp_instr (stk:int) (inp:input) (ctx:context) (sta:state) (ins:instruction)
-    : Rs.t unit
-    requires { inp.config.loop_limit <> Infinite /\ inp.config.stack_size <> Infinite }
-    requires { within_limit stk inp.config.stack_size }
-    variant { get_finite inp.config.stack_size - stk, size_instr ins, -1 }
-    ensures { (* Over-approximation *)
-      forall sta' ctx' bhv.
-      eval_instruction stk (inp, ctx, sta) ins (sta', ctx', bhv) ->
-      Rs.mem {state=sta'; context=ctx'; data=()} bhv result
-    }
-    (* (\* Under-approximation (->) and over-approximation (<-) *\) *)
-    (* ensures { *)
-    (*   forall bhv sta'. *)
-    (*   Rs.mem sta' bhv result <-> *)
-    (*   eval_instruction stk (inp, ctx, sta) ins *)
-    (*     (sta'.state, sta'.context, bhv) *)
-    (* } *)
-  = match ins with
-
-    | INot ins1 ->
-      let res = interp_instr stk {inp with under_condition=True} ctx sta ins1 in
-      Rs.({
-          normal = Cn.map flip_result res.normal;
-          return_ = Cn.map flip_result res.return_;
-          exit = res.exit;
-          failure = res.failure;
-        })
-      ensures {
-        forall sta' ctx' bhv.
-        eval_instruction stk ({inp with under_condition=True}, ctx, sta) ins1 (sta', ctx', bhv) ->
-        match bhv with
-        | BNormal | BReturn -> Rs.mem {state=sta'; context={ctx' with result=notb ctx'.result}; data=()} bhv result
-        | BExit | BIncomplete -> Rs.mem {state=sta'; context=ctx'; data=()} bhv result
-        end
-      }
+    scope MakeInterpreter
 
-    | IAssignment var se ->
-      let str_stas, str_stas_failure =
-        separate_results
-          (interp_str_expr stk True inp ctx sta se)
-      in
-      let str_stas_failure = Rs.stas_as_failures ctx str_stas_failure in
-      let res =
-        Rs.inject inp
-          (Cn.map (fun arg -> assignment_for_str_sta ctx var arg) str_stas)
-      in
-      Rs.(union res str_stas_failure)
-      ensures {
-        forall sta'.
-        eval_str_expr stk True (inp, ctx, sta) se (sta', Incomplete) ->
-        Cn.mem {state=sta'; context=ctx; data=()} result.Rs.failure
-      }
+      scope import Arg
+        (* TODO Remove `function` from this and the below reformulation, use predicate in specifications below *)
+        val function sym_interp_utility (params: (utility_context, identifier, state)) : Cn.t (state, result bool)
+          ensures { forall res. interp_utility params res <-> Cn.mem res result }
+      end
 
-    | IExport id ->
-      let sta' =
-        let ctx' =
-          let var_val = {ctx.var_env[id] with exported=True} in
-          let var_env' = ctx.var_env[id <- var_val] in
-          {ctx with var_env = var_env'; result = True}
-        in
-        {state = sta; context = ctx'; data=()}
-      in
-      Rs.({empty with normal = Cn.singleton sta'})
-
-    | ISequence ins1 ins2 ->
-      let res1_normal, res1_other =
-        Rs.separate_normal
-          (interp_instr stk inp ctx sta ins1)
-      in
-      let res2 = interp_instr' stk inp res1_normal ins2 in
-      Rs.union res2 res1_other
-
-    | ISubshell ins ->
-      let stas, stas_failure =
-        Rs.separate_non_failure
-          (interp_instr stk inp ctx sta ins)
-      in
-      assert {
-        forall sta' ctx' bhv.
-        bhv <> BIncomplete ->
-        eval_instruction stk (inp, ctx, sta) ins (sta', ctx', bhv) ->
-        Cn.mem {state=sta'; context=ctx'; data=()} stas
-      };
-      let stas' =
-        let aux sta =
-          let ctx' = {ctx with result = sta.context.result} in
-          {state=sta.state; context=ctx'; data=()}
-        in
-        Cn.map aux stas
-      in
-      let old_ctx_with_res sta = {sta with context={ctx with result=sta.context.result}} in
-      Rs.(union
-           (inject inp stas')
-           {empty with failure=Cn.map old_ctx_with_res stas_failure})
-      ensures {
-        forall sta' ctx'.
-        eval_instruction stk (inp, ctx, sta) ins (sta', ctx', BIncomplete) ->
-        Rs.mem {state=sta'; context={ctx with result=ctx'.result}; data=()} BIncomplete result
+      (** A symbolic state combines a concrete context and a program state as defined in the
+          semantics with a filesystem using feature constraints. *)
+      type sym_state 'a = {
+        context: context;
+        state: state;
+        data: 'a (* Used to fiddle additional information through interp_instr': A stdin in pipe and the last result in the loops *)
       }
 
-    | INoOutput ins ->
-      Rs.map (reset_output sta)
-        (interp_instr stk inp ctx sta ins)
-
-    | IIf ins1 ins2 ins3 ->
-      let res1_normal, res1_other =
-        Rs.separate_normal
-          (interp_instr stk {inp with under_condition=True} ctx sta ins1)
-      in
-      let res2 =
-        let res1_true, res1_false =
-          Cn.partition
-            (fun sta -> sta.context.result)
-            res1_normal
-        in
-        Rs.union
-          (interp_instr' stk inp res1_true ins2)
-          (interp_instr' stk inp res1_false ins3)
-      in
-      Rs.union res2 res1_other
-
-    | ICd se ->
-      let res1, res1_failures =
-        separate_results
-          (interp_str_expr stk True inp ctx sta se) in
-      let function aux arg =
-        let sta1, (s, (_:bool)) = arg in
-        let cwd_p = absolute_or_concat_relative ctx.cwd s in
-        let pwd_s = normalized_path_to_string cwd_p in
-        let args = Cons "-d" (Cons pwd_s Nil) in
-        Cn.map (fun arg -> let sta2, r = arg in ((sta2, cwd_p, pwd_s), r))
-          (sym_interp_utility (ctx.cwd, filter_var_env ctx.var_env, args) identifier_test sta1) in
-      let res2a = Cn.bind aux res1 in
-      let res2, res2_failures = separate_results res2a in
-      let function aux' arg =
-        let (sta2, cwd_p, pwd_s), b = arg in
-        if b then
-          let ctx' = {
-            ctx with
-            var_env = ctx.var_env[identifier_pwd <- pwd_s]';
-            cwd = cwd_p;
-            result = True } in 
-          {state = sta2; context = ctx'; data = ()}
-        else
-          let ctx' = {ctx with result = False} in
-          {state = sta2; context = ctx'; data = ()} in
-      let res2' = Cn.map aux' res2 in
-      let res3 = Rs.inject inp res2' in
-      let res2_failures' = Cn.map (fun arg -> let sta, _, _ = arg in sta) res2_failures in
-      let res_failures = Rs.stas_as_failures ctx (Cn.union res1_failures res2_failures') in
-      Rs.union res3 res_failures
-      ensures { [@expl:cd_arg_failure]
-        forall sta1.
-        eval_str_expr stk True (inp, ctx, sta) se (sta1, Incomplete) ->
-        Rs.mem {state=sta1; context=ctx; data=()} BIncomplete result
-      }
-      ensures { [@expl:cd_incomplete]
-        forall sta1 s b sta2.
-        eval_str_expr stk True (inp, ctx, sta) se (sta1, Ok (s, b)) ->
-        let cwd_p = absolute_or_concat_relative ctx.cwd s in
-        let pwd_s = normalized_path_to_string cwd_p in
-        let args = Cons "-d" (Cons pwd_s Nil) in
-        (sta2, Incomplete) = interp_utility (ctx.cwd, filter_var_env ctx.var_env, args) identifier_test sta1 ->
-        Rs.mem {state=sta2; context=ctx; data=()} BIncomplete result
-        by Cn.mem (sta1, (s, b)) res1
-        so Cn.mem (sta2, Incomplete) (sym_interp_utility (ctx.cwd, filter_var_env ctx.var_env, args) identifier_test sta1)
-        so Cn.mem (sta2, cwd_p, pwd_s) res2_failures
-      }
-      ensures { [@expl:cd_no_dir]
-        forall sta1 s b sta2.
-        eval_str_expr stk True (inp, ctx, sta) se (sta1, Ok (s, b)) ->
-        let cwd_p = absolute_or_concat_relative ctx.cwd s in
-        let pwd_s = normalized_path_to_string cwd_p in
-        let args = Cons "-d" (Cons pwd_s Nil) in
-        (sta2, Ok False) = interp_utility (ctx.cwd, filter_var_env ctx.var_env, args) identifier_test sta1 ->
-        let ctx' = {ctx with result = False} in
-        let bhv = behaviour inp False in
-        Rs.mem {state=sta2; context=ctx'; data=()} bhv result
-        by Cn.mem (sta1, (s, b)) res1
-        so Cn.mem (sta2, Ok False) (sym_interp_utility (ctx.cwd, filter_var_env ctx.var_env, args) identifier_test sta1)
-        so Cn.mem ((sta2, cwd_p, pwd_s), False) res2
-        so Cn.mem {state=sta2; context=ctx'; data=()} res2'
-      }
-      ensures { [@expl:cd]
-        forall sta1 s b sta2.
-        eval_str_expr stk True (inp, ctx, sta) se (sta1, Ok (s, b)) ->
-        let cwd_p = absolute_or_concat_relative ctx.cwd s in
-        let pwd_s = normalized_path_to_string cwd_p in
-        let args = Cons "-d" (Cons pwd_s Nil) in
-        (sta2, Ok True) = interp_utility (ctx.cwd, filter_var_env ctx.var_env, args) identifier_test sta1 ->
-        let ctx1 = {ctx with result = True; var_env = ctx.var_env[identifier_pwd <- pwd_s]'; cwd = cwd_p} in
-        let bhv = behaviour inp True in
-        Rs.mem {state=sta2; context=ctx1; data=()} bhv result
-        by Cn.mem (sta1, (s, b)) res1
-        so Cn.mem (sta2, Ok True) (sym_interp_utility (ctx.cwd, filter_var_env ctx.var_env, args) identifier_test sta1)
-        so Cn.mem ((sta2, cwd_p, pwd_s), True) res2
-        so Cn.mem {state=sta2; context=ctx1; data=()} res2'
-      }
+      let function with_data data =
+        fun sta ->
+          {sta with data = data}
+
+      (** The symbolic interpretation of a program results describes multiple possible results
+        *)
+      scope Results
+
+        (** The results of a symbolic execution is a quadruple of sets of symbolic states, where
+            each components corresponds to a behaviour. *)
+        type t 'a = {
+          normal  : Cn.t (sym_state 'a);
+          exit    : Cn.t (sym_state 'a);
+          return_ : Cn.t (sym_state 'a);
+          failure : Cn.t (sym_state 'a);
+        }
 
-    | ICallUtility id le ->
-      let res, res_failures =
-        separate_results
-          (interp_list_expr stk inp ctx sta le) in
-      let function aux arg =
-        let sta', args = arg in
-        sym_interp_utility (ctx.cwd, filter_var_env ctx.var_env, args) id sta' in
-      let res', res_failures' =
-        separate_results (Cn.bind aux res) in
-      let function aux' arg =
-        let sta'', b = arg in
-        {state=sta''; context={ctx with result=b}; data=()} in
-      let res'' = Cn.map aux' res' in
-      let res''' = Rs.inject inp res'' in
-      let res_failures' = Rs.stas_as_failures ctx (Cn.union res_failures res_failures') in
-      Rs.union res''' res_failures'
-      ensures { [@expl:args_incomplete]
-        forall sta'.
-        eval_list_expr stk (inp, ctx, sta) le (sta', Incomplete) ->
-        Rs.mem {state=sta'; context=ctx; data=()} BIncomplete result 
-      }
-      ensures { [@expl:utility_incomplete]
-        forall sta' ss sta''.
-        eval_list_expr stk (inp, ctx, sta) le (sta', Ok ss) ->
-        (sta'', Incomplete) = interp_utility (ctx.cwd, filter_var_env ctx.var_env, ss) id sta' ->
-        Rs.mem {state=sta''; context=ctx; data=()} BIncomplete result
-        by Rs.mem {state=sta''; context=ctx; data=()} BIncomplete res_failures'
-      }
-      ensures { [@expl:utility]
-        forall sta' ss sta'' b.
-        eval_list_expr stk (inp, ctx, sta) le (sta', Ok ss) ->
-        (sta'', Ok b) = interp_utility (ctx.cwd, filter_var_env ctx.var_env, ss) id sta' ->
-        let ctx' = {ctx with result=b} in
-        Rs.mem {state=sta''; context=ctx'; data=()} (behaviour inp b) result
-        by Cn.mem {state=sta''; context=ctx'; data=()} res''
-      }
+        let constant empty = {
+          normal  = Cn.empty;
+          exit    = Cn.empty;
+          return_ = Cn.empty;
+          failure = Cn.empty;
+        }
 
-    | ICallFunction id le ->
-      let arg_res, arg_res_failures =
-        separate_results
-          (interp_list_expr stk inp ctx sta le)
-      in
-      assert { [@expl:callfun1]
-        forall sta1 args.
-        eval_list_expr stk (inp, ctx, sta) le (sta1, Ok args) ->
-        Cn.mem (sta1, args) arg_res
-      };
-      let res =
-        match ctx.func_env[id] with
-        | Some ins -> (* Function defined as `ins` *)
-            if stk = get_finite inp.config.stack_size then (* Stack overflow *)
-              let aux arg =
-                let sta', _ = arg in
-                let sta' = { sta' with log = Stdout.(newline (output stack_limit_message sta'.log)) } in
-                {state=sta'; context=ctx; data=()}
-              in
-              Rs.({empty with failure = Cn.map aux arg_res})
-              ensures { [@expl:callfun2]
-                forall sta1 args ins.
-                eval_list_expr stk (inp, ctx, sta) le (sta1, Ok args) ->
-                ctx.func_env[id] = Some ins ->
-                inp.config.stack_size = Finite stk ->
-                let sta1' = { sta1 with log = Stdout.(newline (output stack_limit_message sta1.log)) } in
-                Rs.mem {state=sta1'; context=ctx; data=()} BIncomplete result
-              }
-            else (* Execute function *)
-              let res2 =
-                let function aux (arg: (state, list string))  =
-                  let sta1, args = arg in
-                  let inp1 = { inp with argument0 = identifier_to_string id } in
-                  let ctx1 = { ctx with arguments = args } in
-                  interp_instr (stk+1) inp1 ctx1 sta1 ins
-                in
-                Rs.bind_collection aux arg_res
-                ensures { [@expl:callfun3]
-                  forall sta1 args ins sta2 ctx2 bhv2.
-                  eval_list_expr stk (inp, ctx, sta) le (sta1, Ok args) ->
-                  ctx.func_env[id] = Some ins ->
-                  inp.config.stack_size <> Finite stk ->
-                  let inp1 = { inp with argument0 = identifier_to_string id } in
-                  let ctx1 = { ctx with arguments = args } in
-                  eval_instruction (stk+1) (inp1, ctx1, sta1) ins (sta2, ctx2, bhv2) ->
-                  Rs.mem {state=sta2; context=ctx2; data=()} bhv2 result
-                }
-              in
-              let res2' =
-                let function aux (sta2: sym_state unit) =
-                  {state=sta2.state; context={sta2.context with arguments = ctx.arguments}; data=()}
-                in
-                Rs.map aux res2
-                ensures { [@expl:callfun4]
-                  forall sta1 args ins sta2 ctx2 bhv2.
-                  eval_list_expr stk (inp, ctx, sta) le (sta1, Ok args) ->
-                  ctx.func_env[id] = Some ins ->
-                  inp.config.stack_size <> Finite stk ->
-                  let inp1 = { inp with argument0 = identifier_to_string id } in
-                  let ctx1 = { ctx with arguments = args } in
-                  eval_instruction (stk+1) (inp1, ctx1, sta1) ins (sta2, ctx2, bhv2) ->
-                  Rs.mem {state=sta2; context={ctx2 with arguments = ctx.arguments}; data=()} bhv2 result
-                }
-              in
-              Rs.({res2' with normal=Cn.union res2'.normal res2'.return_; return_=Cn.empty})
-              ensures { [@expl:callfun5]
-                forall sta1 args ins sta2 ctx2 bhv2.
-                eval_list_expr stk (inp, ctx, sta) le (sta1, Ok args) ->
-                ctx.func_env[id] = Some ins ->
-                inp.config.stack_size <> Finite stk ->
-                let inp1 = {inp with argument0=identifier_to_string id} in
-                let ctx1 = {ctx with arguments=args} in
-                eval_instruction (stk+1) (inp1, ctx1, sta1) ins (sta2, ctx2, bhv2) ->
-                let bhv' = match bhv2 with BNormal | BReturn -> BNormal | BExit -> BExit | BIncomplete -> BIncomplete end in
-                let ctx' = { ctx2 with arguments = ctx.arguments } in
-                Rs.mem {state=sta2; context=ctx'; data=()} bhv' result
-              }
-        | None -> (* Undefined function *)
-            let arg_res' =
-              let function aux (arg: (state, list string)) =
-                let sta', _ = arg in
-                {state=sta'; context={ctx with result=False}; data=()}
-              in
-              Cn.map aux arg_res
-              ensures {
-                forall sta' ss.
-                eval_list_expr stk (inp, ctx, sta) le (sta', Ok ss) ->
-                ctx.func_env[id] = None ->
-                Cn.mem {state=sta'; context={ctx with result=False}; data=()} result
-                by Cn.mem (sta', ss) arg_res
-              }
-            in
-            Rs.single_behaviour (behaviour inp False) arg_res'
-            ensures {
-              forall sta' ss.
-              eval_list_expr stk (inp, ctx, sta) le (sta', Ok ss) ->
-              ctx.func_env[id] = None ->
-              Rs.mem {state=sta'; context={ctx with result=False}; data=()} (behaviour inp False) result
-            }
-        end
-      in
-      let res_failures = Rs.stas_as_failures ctx arg_res_failures in
-      Rs.union res res_failures
-
-    | IShift bn ->
-      match shift_arguments (option_get (mk_nat 1) bn).nat ctx.arguments with
-      | Some args ->
-        let ctx' = {ctx with result = True; arguments = args} in
-        let sta' = {state = sta; context = ctx'; data=()} in
-        Rs.({empty with normal = Cn.singleton sta'})
-      | None ->
-        let ctx' = {ctx with result = False} in
-        let sta' = {state = sta; context = ctx'; data=()} in
-        Rs.inject inp (Cn.singleton sta')
+        predicate mem (sta:sym_state 'a) (bhv:behaviour) (rs:t 'a) =
+          match bhv with
+          | BNormal  -> Cn.mem sta rs.normal
+          | BExit    -> Cn.mem sta rs.exit
+          | BReturn  -> Cn.mem sta rs.return_
+          | BIncomplete -> Cn.mem sta rs.failure
+          end
+
+        let function map (f:sym_state 'a -> sym_state 'b) (res:t 'a) : t 'b
+          ensures { forall sta bhv. mem sta bhv res -> mem (f sta) bhv result }
+          ensures { forall sta' bhv. mem sta' bhv result -> exists sta. mem sta bhv res /\ sta' = f sta }
+        = { normal  = Cn.map f res.normal;
+            exit    = Cn.map f res.exit;
+            return_ = Cn.map f res.return_;
+            failure = Cn.map f res.failure; }
+
+        let function union (res1 res2: t 'a) : t 'a
+          ensures { forall sta bhv. mem sta bhv res1 -> mem sta bhv result }
+          ensures { forall sta bhv. mem sta bhv res2 -> mem sta bhv result }
+          ensures { forall sta bhv. mem sta bhv result -> mem sta bhv res1 \/ mem sta bhv res2 }
+        = { normal  = Cn.union res1.normal  res2.normal;
+            exit    = Cn.union res1.exit    res2.exit;
+            return_ = Cn.union res1.return_ res2.return_;
+            failure = Cn.union res1.failure res2.failure; }
+
+        lemma union_1: forall sta: sym_state 'a, bhv res1 res2.
+          mem sta bhv res1 -> mem sta bhv (union res1 res2)
+
+        lemma union_2: forall sta: sym_state 'a, bhv res1 res2.
+          mem sta bhv res2 -> mem sta bhv (union res1 res2)
+
+        let rec flatten_list (l: L.list (t 'a)) : t 'a
+          variant { l }
+          ensures { forall res sta bhv. L.mem res l -> mem sta bhv res -> mem sta bhv result }
+          ensures { forall sta bhv. mem sta bhv result -> exists res. L.mem res l /\ mem sta bhv res }
+        = match l with
+          | L.Nil -> empty
+          | L.Cons rs l' ->
+            union rs (flatten_list l')
+          end
+
+        let flatten (c: Cn.t (t 'a)) : t 'a
+          ensures { forall res sta bhv. Cn.mem res c -> mem sta bhv res -> mem sta bhv result }
+          ensures { forall sta bhv. mem sta bhv result -> exists res. Cn.mem res c /\ mem sta bhv res }
+        = flatten_list (Cn.to_list c)
+
+        let bind_collection (f: 'a -> t 'b) (c: Cn.t 'a) : t 'b
+          ensures {
+            forall x sta bhv.
+            Cn.mem x c ->
+            mem sta bhv (f x) ->
+            mem sta bhv result
+          }
+          ensures {
+            forall sta bhv.
+            mem sta bhv result ->
+            exists x.
+            Cn.mem x c /\
+            mem sta bhv (f x)
+          }
+        = flatten (Cn.map f c)
+
+        let separate_normal (res:t 'a) : (normal: Cn.t (sym_state 'a), other: t 'a)
+          ensures { normal = res.normal }
+          ensures { other.normal = Cn.empty }
+          ensures { other.exit = res.exit }
+          ensures { other.return_ = res.return_ }
+          ensures { other.failure = res.failure }
+          ensures { forall s. Cn.mem s normal -> Cn.mem s res.normal }
+          ensures { forall s bhv. mem s bhv other -> bhv <> BNormal /\ mem s bhv res }
+        = res.normal, {res with normal = Cn.empty}
+
+        let function separate_non_failure (res:t 'a) : (Cn.t (sym_state 'a), Cn.t (sym_state 'a))
+          = Cn.(union res.normal (union res.exit res.return_)), res.failure
+
+        let function all_states (res:t 'a) : Cn.t (sym_state 'a) =
+          Cn.(union res.normal (union res.exit (union res.return_ res.failure)))
+
+        let stas_as_failures (ctx:context) (stas:Cn.t state) : t unit
+          ensures { result.normal = Cn.empty }
+          ensures { result.exit = Cn.empty }
+          ensures { result.return_ = Cn.empty }
+          ensures { forall s. Cn.mem s result.failure -> Cn.mem s.state stas /\ s.context=ctx /\ s.data = () }
+          ensures { forall s. Cn.mem s stas -> Cn.mem {state=s; context=ctx; data=()} result.failure }
+        = let aux sta = {state=sta; context=ctx; data=()} in
+          {empty with failure=Cn.map aux stas}
+
+        let function single_behaviour bhv (stas: Cn.t (sym_state 'a)) : t 'a =
+          match bhv with
+          | BNormal -> {empty with normal=stas}
+          | BExit -> {empty with exit=stas}
+          | BReturn -> {empty with return_=stas}
+          | BIncomplete -> {empty with failure=stas}
+          end
+
+        let function inject (inp: input) (stas: Cn.t (sym_state 'a)) : t 'a
+          (* ensures { forall sta bhv. mem sta bhv result <-> Cn.mem sta stas /\ bhv = behaviour inp sta.context.result } *)
+          (* ensures { stas = Cn.union result.normal result.exit by Cn.(stas == union result.normal result.exit) } *)
+          (* ensures { forall s. Cn.mem s result.normal -> Cn.mem s stas /\ behaviour inp s.context.result = BNormal } *)
+          (* ensures { forall s. Cn.mem s result.exit -> Cn.mem s stas /\ behaviour inp s.context.result = BExit } *)
+          (* ensures { result.return_ = Cn.empty } *)
+          (* ensures { result.failure = Cn.empty } *)
+        = let exit, normal = Cn.partition (fun sta -> exit_not_normal inp sta.context.result) stas in
+          (* assert { forall sta. Cn.mem sta exit -> exit_not_normal inp sta.context.result = True }; *)
+          (* assert { forall sta. Cn.mem sta normal -> exit_not_normal inp sta.context.result = False }; *)
+          {empty with normal=normal; exit=exit}
+          (* ensures { forall sta bhv. mem sta bhv result -> Cn.mem sta normal \/ Cn.mem sta exit } *)
+
+        lemma mem_inject: forall res: t 'a, sta bhv inp stas.
+          res = inject inp stas ->
+          (mem sta bhv res <-> Cn.mem sta stas /\ bhv = behaviour inp sta.context.result)
+
+        lemma inject_union: forall res: t 'a, inp stas.
+          res = inject inp stas ->
+          stas = Cn.union res.normal res.exit by
+          Cn.(stas == union res.normal res.exit)
+
+        lemma inject_return_empty: forall res: t 'a, inp stas.
+          res = inject inp stas -> res.return_ = Cn.empty
+
+        lemma inject_failure_empty: forall res: t 'a, inp stas.
+          res = inject inp stas -> res.failure = Cn.empty
+
+        lemma inject_normal_union_exit: forall inp, stas: Cn.t (sym_state 'a).
+          stas = Cn.union (inject inp stas).normal (inject inp stas).exit
+          by Cn.(stas == union (inject inp stas).normal (inject inp stas).exit)
+
+        lemma inject_under_condition_normal: forall res: t 'a, inp stas.
+          res = inject inp stas ->
+          inp.under_condition = True ->
+          res.normal = stas
+          by Cn.(res.normal == stas)
+
+        lemma inject_under_condition_exit: forall inp, stas: Cn.t (sym_state 'a).
+          inp.under_condition = True ->
+          (inject inp stas).exit = Cn.empty
+          by Cn.((inject inp stas).exit == Cn.empty)
+
+        lemma inject_outside_condition_normal: forall inp, stas: Cn.t (sym_state 'a).
+          inp.under_condition = False ->
+          (inject inp stas).normal = Cn.filter (fun sta -> sta.context.result) stas
+          by Cn.((inject inp stas).normal == filter (fun sta -> sta.context.result) stas)
+
+        lemma inject_outside_condition_exit: forall inp, stas: Cn.t (sym_state 'a).
+          inp.under_condition = False ->
+          (inject inp stas).exit = Cn.filter (fun sta -> not sta.context.result) stas
+          by Cn.((inject inp stas).exit == filter (fun sta -> not sta.context.result) stas)
+
+        lemma inject_map: forall f: sym_state 'a -> sym_state 'b, res inp sta sta' bhv stas.
+          res = inject inp (Cn.map f stas) ->
+          sta' = f sta ->
+          bhv = behaviour inp (f sta).context.result ->
+          Cn.mem sta stas ->
+          mem sta' bhv res
+
+        lemma inject_map': forall f: sym_state 'a -> sym_state 'b, res inp sta' bhv stas.
+          res = inject inp (Cn.map f stas) ->
+          mem sta' bhv res ->
+          bhv = behaviour inp sta'.context.result /\
+          exists sta. Cn.mem sta stas /\ sta' = f sta
+
+        lemma union_inject: forall res: t 'a, inp stas.
+          res = inject inp stas ->
+          stas = Cn.union res.normal res.exit
+          by
+          Cn.(stas == union res.normal res.exit)
+
+        lemma mem_union_inject: forall sta: sym_state 'a, bhv inp stas rs.
+          mem sta bhv (union (inject inp stas) rs) <->
+          ((Cn.mem sta stas /\ bhv = behaviour inp sta.context.result) \/
+          mem sta bhv rs)
+
+        lemma mem_union: forall sta bhv, rs1 rs2:t 'a.
+          mem sta bhv (union rs1 rs2) <->
+          (mem sta bhv rs1 \/ mem sta bhv rs2)
+
+        lemma mem_map: forall sta': sym_state 'b, bhv, rs, f: sym_state 'a -> sym_state 'b.
+          mem sta' bhv (map f rs) <->
+          exists sta. mem sta bhv rs /\ sta' = f sta
+
+        lemma failure_union: forall rs1 rs2: t 'a.
+          failure (union rs1 rs2) = Cn.union (failure rs1) (failure rs2)
+
+        lemma mem_mk_results: forall sta: sym_state 'a, bhv normal exit return_ failure.
+          mem sta bhv { normal=normal; exit=exit; return_=return_; failure=failure } <->
+          match bhv with
+          | BNormal  -> Cn.mem sta normal
+          | BExit    -> Cn.mem sta exit
+          | BReturn  -> Cn.mem sta return_
+          | BIncomplete -> Cn.mem sta failure
+          end
+
+        lemma mem_union_results: forall sta: sym_state 'a, bhv rs1 rs2.
+          mem sta bhv (union rs1 rs2) <->
+          (match bhv with
+          | BNormal  -> Cn.mem sta rs1.normal
+          | BExit    -> Cn.mem sta rs1.exit
+          | BReturn  -> Cn.mem sta rs1.return_
+          | BIncomplete -> Cn.mem sta rs1.failure
+          end \/
+          match bhv with
+          | BNormal  -> Cn.mem sta rs2.normal
+          | BExit    -> Cn.mem sta rs2.exit
+          | BReturn  -> Cn.mem sta rs2.return_
+          | BIncomplete -> Cn.mem sta rs2.failure
+          end)
       end
 
-    | IForeach id le ins ->
-      let lst_res, lst_res_failures =
-        separate_results
-          (interp_list_expr stk inp ctx sta le)
-      in
-      assert {
-        forall sta' ss.
-        eval_list_expr stk (inp, ctx, sta) le (sta', Ok ss) -> 
-        Cn.mem (sta', ss) lst_res
-      };
-      let res_loop_cont =
-        (* Execute foreach loop on a result from interp_list_expr *)
-        let function aux arg =
-          let sta', ss = arg in
-          interp_foreach True stk inp ctx sta' id ss ins
-        in
-        Rs.bind_collection aux lst_res
+      let rec separate_results_list (sta_opts: list ('a, result 'b)) : (results: list ('a, 'b), failures: list 'a)
+        variant { sta_opts }
         ensures {
-          forall sta' ss sta'' ctx' bhv b.
-          eval_list_expr stk (inp, ctx, sta) le (sta', Ok ss) -> 
-          eval_foreach stk True (inp, ctx, sta') id ss ins (sta'', ctx', bhv) b ->
-          Rs.mem {state=sta''; context=ctx'; data=b} bhv result
+          forall sta x.
+          L.mem (sta, x) results <->
+          L.mem (sta, Ok x) sta_opts
         }
-      in
-      let res_loop_cont' =
-        let function aux sta'' =
-          let ctx'' = {sta''.context with result=sta''.data} in
-          with_data () {sta'' with context = ctx''}
-        in
-        Rs.map aux res_loop_cont
         ensures {
-          forall sta' ss sta'' ctx' bhv b.
-          eval_list_expr stk (inp, ctx, sta) le (sta', Ok ss) -> 
-          eval_foreach stk True (inp, ctx, sta') id ss ins (sta'', ctx', bhv) b ->
-          
-          Rs.mem {state=sta''; context={ctx' with result=b}; data=()} bhv result
+          forall sta.
+          L.mem sta failures <->
+          L.mem (sta, Incomplete) sta_opts
         }
-      in
-      let res_failure =
-        Rs.stas_as_failures ctx lst_res_failures
-        ensures {
-          forall sta'.
-          eval_list_expr stk (inp, ctx, sta) le (sta', Incomplete) -> 
-          Rs.mem {state=sta'; context=ctx; data=()} BIncomplete result
-        }
-      in
-      Rs.(union res_loop_cont' res_failure)
-
-    | IWhile ins1 ins2 ->
-      let res = interp_while True 0 stk inp ctx sta ins1 ins2 in
-      let function aux_normal (sta': sym_state (int, bool)) =
-        let _, b = sta'.data in
-        {state=sta'.state; context={sta'.context with result=b}; data=()}
-      in
-      let function aux_other (sta': sym_state (int, bool)) =
-        {sta' with data=()}
-      in
-      Rs.({normal=Cn.map aux_normal res.normal;
-           exit=Cn.map aux_other res.exit;
-           return_=Cn.map aux_other res.return_;
-           failure=Cn.map aux_other res.failure})
-      ensures {
-        forall sta' ctx' bhv ctr b.
-        bhv <> BNormal ->
-        eval_while stk 0 True (inp, ctx, sta) ins1 ins2 (sta', ctx', bhv) ctr b ->
-        Rs.mem {state=sta'; context=ctx'; data=()}  bhv result
-      }
-      ensures {
-        forall sta' ctx' ctr b.
-        eval_while stk 0 True (inp, ctx, sta) ins1 ins2 (sta', ctx', BNormal) ctr b ->
-        Rs.mem {state=sta'; context={ctx' with result=b}; data=()} BNormal result
-      }
+      = match sta_opts with
+        | Nil -> Nil, Nil
+        | Cons (sta, opt_x) sta_opts' -> 
+          let results, failures = separate_results_list sta_opts' in
+          match opt_x with
+          | Ok x -> Cons (sta, x) results, failures
+          | Incomplete -> results, Cons sta failures
+          end
+        end
 
-    | IPipe ins1 ins2 ->
-      let stas1, stas1_failure =
-        Rs.separate_non_failure
-          (interp_instr stk inp ctx {sta with stdout=Stdout.empty} ins1)
-      in
-      assert {
-        forall sta1 ctx1 bhv1.
-        eval_instruction stk (inp, ctx, {sta with stdout=Stdout.empty}) ins1 (sta1, ctx1, bhv1) ->
-        bhv1 <> BIncomplete ->
-        Cn.mem {state=sta1; context=ctx1; data=()} stas1
-      };
-      let stas1': Cn.t (sym_state stdin) = (* data is sta1.state.stdin *)
-        let function aux (sta1: sym_state unit) =
-          {state={sta1.state with stdout=sta.stdout; stdin=Stdout.to_stdin sta1.state.stdout}; context=ctx; data=sta1.state.stdin}
-        in
-        Cn.map aux stas1
-        ensures {
-          forall sta1 ctx1 bhv1.
-          eval_instruction stk (inp, ctx, {sta with stdout=Stdout.empty}) ins1 (sta1, ctx1, bhv1) ->
-          bhv1 <> BIncomplete ->
-          Cn.mem
-            {state={sta1 with stdout=sta.stdout; stdin=Stdout.to_stdin sta1.stdout}; context=ctx; data=sta1.stdin}
-            result
-        }
-      in
-      let res2: Rs.t stdin = (* data is sta1.state.stdin *)
-        interp_instr' stk inp stas1' ins2
+      let separate_results (sta_opts: Cn.t ('a, result 'b)) : (results: Cn.t ('a, 'b), failures: Cn.t 'a)
         ensures {
-          forall sta1 ctx1 bhv1 sta2 ctx2 bhv2.
-          eval_instruction stk (inp, ctx, {sta with stdout=Stdout.empty}) ins1 (sta1, ctx1, bhv1) -> 
-          bhv1 <> BIncomplete ->
-          eval_instruction stk (inp, ctx, {sta1 with stdout=sta.stdout; stdin=Stdout.to_stdin sta1.stdout}) ins2 (sta2, ctx2, bhv2) ->
-          Rs.mem {state=sta2; context=ctx2; data=sta1.stdin} bhv2 result
+          forall sta x.
+          Cn.mem (sta, x) results <->
+          Cn.mem (sta, Ok x) sta_opts
         }
-      in
-      let res2' =
-        let function aux sta2 =
-          {state={sta2.state with stdin=sta2.data};
-           context={ctx with result=sta2.context.result};
-           data=()}
-        in
-        Rs.map aux res2
-        ensures {
-          forall sta1 ctx1 bhv1 sta2 ctx2 bhv2.
-          eval_instruction stk (inp, ctx, {sta with stdout=Stdout.empty}) ins1 (sta1, ctx1, bhv1) -> 
-          bhv1 <> BIncomplete ->
-          eval_instruction stk (inp, ctx, {sta1 with stdout=sta.stdout; stdin=Stdout.to_stdin sta1.stdout}) ins2 (sta2, ctx2, bhv2) ->
-          Rs.mem {state={sta2 with stdin=sta1.stdin}; context={ctx with result=ctx2.result}; data=()} bhv2 result
-        }
-      in
-      let sta1_failure' =
-        let function aux (sta1: sym_state unit) =
-          {state={sta1.state with stdout=sta.stdout}; context=ctx; data=()}
-        in
-        Cn.map aux stas1_failure
         ensures {
-          forall sta1 ctx1.
-          eval_instruction stk (inp, ctx, {sta with stdout=Stdout.empty}) ins1 (sta1, ctx1, BIncomplete) -> 
-          Cn.mem {state={sta1 with stdout=sta.stdout}; context=ctx; data=()} result
+          forall sta.
+          Cn.mem sta failures <->
+          Cn.mem (sta, Incomplete) sta_opts
         }
-      in
-      Rs.(union res2' {empty with failure=sta1_failure'})
-
-    | IExit code ->
-      let r =
-        match code with
-        | RPrevious -> ctx.result
-        | RSuccess -> True
-        | RFailure -> False
+      = let results, failures = separate_results_list (Cn.to_list sta_opts) in
+        Cn.of_list results, Cn.of_list failures
+
+      let rec function size_instr (ins:instruction) : int
+        variant { ins }
+        ensures { 0 < result }
+      = 1 + match ins with
+        | IReturn _ | IExit _ | IShift _ | IExport _ ->
+          0
+        | INot ins | INoOutput ins | ISubshell ins ->
+          size_instr ins
+        | ICd se | IAssignment _ se  ->
+          size_string_expr se
+        | ICallUtility _ le | ICallFunction _ le ->
+          size_list_expr le
+        | ISequence ins1 ins2 | IPipe ins1 ins2 | IWhile ins1 ins2 ->
+          size_instr ins1 + size_instr ins2
+        | IForeach _ le ins ->
+          size_list_expr le + size_instr ins
+        | IIf ins1 ins2 ins3 ->
+          size_instr ins1 + size_instr ins2 + size_instr ins3
         end
-      in
-      let sta = {state=sta; context={ctx with result=r}; data=()} in
-      Rs.({empty with exit = Cn.singleton sta})
-
-    | IReturn code ->
-      let r =
-        match code with
-        | RPrevious -> ctx.result
-        | RSuccess -> True
-        | RFailure -> False
+      with function size_list_expr (le:list_expression): int
+        variant { le }
+        ensures { 0 < result }
+      = 1 + match le with
+        | Nil -> 0
+        | Cons se_sp le' ->
+          size_pair se_sp + size_list_expr le'
+        end
+      with function size_pair (se_sp: (string_expression, split)) : int
+        variant { se_sp }
+        ensures { 0 < result }
+      = let se, _ = se_sp in
+        size_string_expr se
+      with function size_string_expr (se:string_expression): int
+        variant { se }
+        ensures { 0 < result }
+      = 1 + match se with
+        | SLiteral _
+        | SVariable _
+        | SArgument _ -> 0
+        | SSubshell ins -> size_instr ins
+        | SConcat se1 se2 -> size_string_expr se1 + size_string_expr se2
         end
-      in
-      let sta =
-        let ctx' = {ctx with result = r} in
-        {state = sta; context = ctx'; data=()}
-      in
-      Rs.({empty with return_ = Cn.singleton sta})
-    end
 
-  with interp_foreach (b:bool) (stk:int) (inp:input) (ctx:context) (sta:state) (id:identifier) (ss:list string) (ins:instruction) : Rs.t bool
-    variant { get_finite inp.config.stack_size - stk, size_instr ins, L.length ss }
-    requires { inp.config.loop_limit <> Infinite /\ inp.config.stack_size <> Infinite }
-    requires { stk <= get_finite inp.config.stack_size }
-    ensures {
-      forall sta' ctx' bhv b'.
-      eval_foreach stk b (inp, ctx, sta) id ss ins (sta', ctx', bhv) b' ->
-      Rs.mem {state=sta'; context=ctx'; data=b'} bhv result
-    }
-  = match ss with
-    | Nil ->
-      Rs.({empty with normal=Cn.singleton {state=sta; context=ctx; data=b}})
-    | Cons s ss' ->
-      let res1_normal, res1_other =
-        Rs.separate_normal
-          (interp_instr stk inp {ctx with var_env = ctx.var_env[id <- s]'} sta ins)
-      in
-      let res_normal' =
-        let function aux (sta1: sym_state unit) =
-          interp_foreach sta1.context.result stk inp sta1.context sta1.state id ss' ins
-        in
-        Rs.bind_collection aux res1_normal
-        ensures {
-          forall sta1 ctx1 sta2 ctx2 bhv2 b2.
-          eval_instruction stk (inp, {ctx with var_env=ctx.var_env[id <- s]'}, sta) ins (sta1, ctx1, BNormal) ->
-          eval_foreach stk ctx1.result (inp, ctx1, sta1) id ss' ins (sta2, ctx2, bhv2) b2 ->
-          Rs.mem {state=sta2; context=ctx2; data=b2} bhv2 result
+      let rec lemma size_string_expr_list_expr (le:list_expression)
+        ensures { forall se sp. size_string_expr se < size_list_expr (Cons (se, sp) le) }
+      = match le with
+        | Nil -> ()
+        | Cons _ le' -> size_string_expr_list_expr le'
+        end
+
+      let function flip_result sta
+        ensures { result.state = sta.state }
+        ensures { result.data = sta.data }
+        ensures { result.context = {sta.context with result=notb sta.context.result} }
+      = let result = notb sta.context.result in
+        let context = {sta.context with result=result} in
+        {sta with context=context}
+
+      let function reset_output sta sta' =
+        let sta'' = {sta'.state with stdout = sta.stdout} in
+        {sta' with state = sta''}
+
+      let function assignment_for_str_sta ctx var arg =
+        let sta', (str, result) = arg in
+        let ctx' = {
+          ctx with
+          var_env = ctx.var_env[var <- str]';
+          result = result;
         }
-      in
-      let res1_other' =
-        let function aux (sta: sym_state unit) =
-          with_data sta.context.result sta
         in
-        Rs.map aux res1_other
-        ensures {
-          forall sta1 ctx1 bhv1.
-          eval_instruction stk (inp, {ctx with var_env=ctx.var_env[id <- s]'}, sta) ins (sta1, ctx1, bhv1) ->
-          bhv1 <> BNormal ->
-          Rs.mem {state=sta1; context=ctx1; data=ctx1.result} bhv1 result
+        {state = sta'; context = ctx'; data = ()}
+
+      let rec interp_instr (stk:int) (inp:input) (ctx:context) (sta:state) (ins:instruction)
+        : Results.t unit
+        requires { inp.config.loop_limit <> Infinite /\ inp.config.stack_size <> Infinite }
+        requires { within_limit stk inp.config.stack_size }
+        variant { get_finite inp.config.stack_size - stk, size_instr ins, -1 }
+        ensures { (* Over-approximation *)
+          forall sta' ctx' bhv.
+          eval_instruction stk (inp, ctx, sta) ins (sta', ctx', bhv) ->
+          Results.mem {state=sta'; context=ctx'; data=()} bhv result
         }
-      in
-      Rs.union res_normal' res1_other'
-    end
+        (* (\* Under-approximation (->) and over-approximation (<-) *\) *)
+        (* ensures { *)
+        (*   forall bhv sta'. *)
+        (*   Results.mem sta' bhv result <-> *)
+        (*   eval_instruction stk (inp, ctx, sta) ins *)
+        (*     (sta'.state, sta'.context, bhv) *)
+        (* } *)
+      = match ins with
+
+        | INot ins1 ->
+          let res = interp_instr stk {inp with under_condition=True} ctx sta ins1 in
+          Results.({
+              normal = Cn.map flip_result res.normal;
+              return_ = Cn.map flip_result res.return_;
+              exit = res.exit;
+              failure = res.failure;
+            })
+          ensures {
+            forall sta' ctx' bhv.
+            eval_instruction stk ({inp with under_condition=True}, ctx, sta) ins1 (sta', ctx', bhv) ->
+            match bhv with
+            | BNormal | BReturn -> Results.mem {state=sta'; context={ctx' with result=notb ctx'.result}; data=()} bhv result
+            | BExit | BIncomplete -> Results.mem {state=sta'; context=ctx'; data=()} bhv result
+            end
+          }
 
-  with interp_while b ctr stk inp ctx (sta:state) ins1 ins2 : Rs.t (int, bool)
-    variant { get_finite inp.config.stack_size - stk, size_instr ins1+size_instr ins2, get_finite inp.config.loop_limit - ctr  }
-    requires { inp.config.loop_limit <> Infinite /\ inp.config.stack_size <> Infinite }
-    requires { 0 <= ctr <= get_finite inp.config.loop_limit }
-    requires { stk <= get_finite inp.config.stack_size }
-    ensures {
-      forall sta' ctx' bhv ctr' b'.
-      eval_while stk ctr b (inp, ctx, sta) ins1 ins2 (sta', ctx', bhv) ctr' b' ->
-      Rs.mem {state=sta'; context=ctx'; data=(ctr', b')} bhv result
-    }
-  = let loop_limit = get_finite inp.config.loop_limit in
-    if ctr = loop_limit then
-      let sta = { sta with log = Stdout.(newline (output loop_limit_message sta.log)) } in
-      Rs.({empty with failure=Cn.singleton {state=sta; context=ctx; data=(ctr, b)}})
-    else
-      let res1_normal, res1_abort =
-        Rs.separate_normal
-          (interp_instr stk {inp with under_condition=True} ctx sta ins1)
-      in
-      assert {
-        forall sta1 ctx1.
-        eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, BNormal) ->
-        Cn.mem {state=sta1; context=ctx1; data=()} res1_normal
-      };
-      assert {
-        forall sta1 ctx1 bhv1.
-        bhv1 <> BNormal ->
-        eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, bhv1) ->
-        Rs.mem {state=sta1; context=ctx1; data=()} bhv1 res1_abort
-      };
-      let res1_true, res1_false =
-        Cn.partition (fun sta -> sta.context.result) res1_normal
-      in
-      assert {
-        forall sta1 ctx1.
-        eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, BNormal) ->
-        ctx1.result = True ->
-        Cn.mem {state=sta1; context=ctx1; data=()} res1_true
-      };
-      assert {
-        forall sta1 ctx1.
-        eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, BNormal) ->
-        ctx1.result = False ->
-        Cn.mem {state=sta1; context=ctx1; data=()} res1_false
-      };
-      let res2_normal, res2_abort =
-        Rs.separate_normal
-          (interp_instr' stk inp res1_true ins2)
-      in
-      assert {
-        forall sta1 ctx1 sta2 ctx2.
-        eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, BNormal) ->
-        ctx1.result = True ->
-        eval_instruction stk (inp, ctx1, sta1) ins2 (sta2, ctx2, BNormal) ->
-        Cn.mem {state=sta2; context=ctx2; data=()} res2_normal
-      };
-      assert {
-        forall sta1 ctx1 sta2 ctx2 bhv2.
-        eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, BNormal) ->
-        ctx1.result = True ->
-        eval_instruction stk (inp, ctx1, sta1) ins2 (sta2, ctx2, bhv2) ->
-        bhv2 <> BNormal ->
-        Rs.mem {state=sta2; context=ctx2; data=()} bhv2 res2_abort
-      };
-      let res3 =
-        let function aux (sta2:sym_state unit) =
-          interp_while sta2.context.result (ctr+1) stk inp sta2.context sta2.state ins1 ins2
-        in
-        Rs.bind_collection aux res2_normal
-        ensures {
-          forall sta1 ctx1 sta2 ctx2 sta3 ctx3 bhv3 n b'.
-          inp.config.loop_limit <> Finite ctr ->
-          eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, BNormal) ->
-          ctx1.result = True ->
-          eval_instruction stk (inp, ctx1, sta1) ins2 (sta2, ctx2, BNormal) ->
-          eval_while stk (ctr+1) ctx2.result (inp, ctx2, sta2) ins1 ins2 (sta3, ctx3, bhv3) n b' ->
-          Rs.mem {state=sta3;context=ctx3;data=(n, b')} bhv3 result
-        }
-      in
-      let function with_ctr_b (sta:sym_state unit) =
-        {sta with data=(ctr, b)}
-      in
-      let res1_abort' =
-        Rs.map with_ctr_b res1_abort
-        ensures {
-          forall sta1 ctx1 bhv1.
-          inp.config.loop_limit <> Finite ctr ->
-          bhv1 <> BNormal ->
-          eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, bhv1) ->
-          Rs.mem {state=sta1;context=ctx1;data=(ctr, b)} bhv1 result
-        }
-      in
-      let res1_false' =
-        Rs.({empty with normal=Cn.map with_ctr_b res1_false})
-        ensures {
-          forall sta1 ctx1.
-          inp.config.loop_limit <> Finite ctr ->
-          ctx1.result = False ->
-          eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, BNormal) ->
-          Rs.mem {state=sta1;context=ctx1;data=(ctr, b)} BNormal result
-        }
-      in
-      let res2_abort' =
-        Rs.map with_ctr_b res2_abort
-        ensures {
-          forall sta1 ctx1 sta2 ctx2 bhv2.
-          inp.config.loop_limit <> Finite ctr ->
-          eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, BNormal) ->
-          ctx1.result = True ->
-          eval_instruction stk (inp, ctx1, sta1) ins2 (sta2, ctx2, bhv2) ->
-          bhv2 <> BNormal ->
-          Rs.mem {state=sta2;context=ctx2;data=(ctr, b)} bhv2 result
-        }
-      in
-      Rs.(union res3 (union res1_abort' (union res1_false' res2_abort')))
-
-  with interp_instr' (stk:int) (inp:input) (stas: Cn.t (sym_state 'a)) (ins:instruction) : Rs.t 'a
-    variant { get_finite inp.config.stack_size - stk, size_instr ins, Cn.size stas }
-    requires { inp.config.loop_limit <> Infinite /\ inp.config.stack_size <> Infinite }
-    requires { stk <= get_finite inp.config.stack_size }
-    ensures { (* Over-approximation *)
-      forall sta sta' ctx' bhv.
-      Cn.mem sta stas ->
-      eval_instruction stk (inp, sta.context, sta.state) ins (sta', ctx', bhv) ->
-      Rs.mem {state=sta'; context=ctx'; data=sta.data} bhv result
-    }
-  = let interp_instr_with_data sta =
-      ensures {
-        forall sta' ctx' bhv.
-        eval_instruction stk (inp, sta.context, sta.state) ins (sta', ctx', bhv) ->
-        Rs.mem {state=sta'; context=ctx'; data=sta.data} bhv result
-      }
-      Rs.map (with_data sta.data)
-        (interp_instr stk inp sta.context sta.state ins)
-    in
-    Rs.bind_collection interp_instr_with_data stas
-
-  with interp_str_expr (stk:int) (b:bool) (inp:input) (ctx:context) (sta:state) (se:string_expression)
-    : Cn.t (state, result (string, bool))
-    variant { get_finite inp.config.stack_size - stk, size_string_expr se, -1 }
-    requires { inp.config.loop_limit <> Infinite /\ inp.config.stack_size <> Infinite }
-    requires { stk <= get_finite inp.config.stack_size }
-    ensures { (* Over-approximation *)
-      forall sta' res.
-      eval_str_expr stk b (inp, ctx, sta) se (sta', res) ->
-      Cn.mem (sta', res) result
-    }
-  = match se with
-    | SLiteral str ->
-      Cn.singleton (sta, Ok (str, b))
-    | SVariable var ->
-      let str = ctx.var_env[var]' in
-      Cn.singleton (sta, Ok (str, b))
-    | SArgument n ->
-      let str = nth_argument (Cons inp.argument0 ctx.arguments) n.nat in
-      Cn.singleton (sta, Ok (str, b))
-    | SSubshell ins ->
-      let res, stas_failure =
-        Rs.separate_non_failure
-          (interp_instr stk inp ctx {sta with stdout=Stdout.empty} ins)
-      in
-      assert {
-        forall sta1 ctx1 bhv1.
-        eval_instruction stk (inp, ctx, {sta with stdout=Stdout.empty}) ins (sta1, ctx1, bhv1) ->
-        bhv1 <> BIncomplete ->
-        Cn.mem {state=sta1; context=ctx1; data=()} res
-      };
-      assert {
-        forall sta1 ctx1.
-        eval_instruction stk (inp, ctx, {sta with stdout=Stdout.empty}) ins (sta1, ctx1, BIncomplete) ->
-        Cn.mem {state=sta1; context=ctx1; data=()} stas_failure
-      };
-      let res' =
-        let for_res (sta1:sym_state unit) =
-          let str = Stdout.to_string sta1.state.stdout in
-          let sta1' = {sta1.state with stdout=sta.stdout} in
-          let b' = sta1.context.result in
-          sta1', Ok (str, b')
-        in
-        Cn.map for_res res
-      in
-      let res_failure' =
-        Cn.map (fun sta1 -> {sta1.state with stdout=sta.stdout}, Incomplete) stas_failure
-      in
-      Cn.union res' res_failure'
-      ensures {
-        forall sta1 ctx1.
-        eval_instruction stk (inp, ctx, {sta with stdout=Stdout.empty}) ins (sta1, ctx1, BIncomplete) ->
-        Cn.mem ({sta1 with stdout = sta.stdout}, Incomplete) result
-        by Cn.mem ({sta1 with stdout = sta.stdout}, Incomplete) res_failure'
-      }
-      ensures {
-        forall sta1 ctx1 bhv1.
-        eval_instruction stk (inp, ctx, {sta with stdout=Stdout.empty}) ins (sta1, ctx1, bhv1) ->
-        bhv1 <> BIncomplete ->
-        Cn.mem ({sta1 with stdout = sta.stdout}, Ok (Stdout.to_string sta1.stdout, ctx1.result)) result
-        by Cn.mem ({sta1 with stdout = sta.stdout}, Ok (Stdout.to_string sta1.stdout, ctx1.result)) res'
-      }
-    | SConcat se1 se2 ->
-      let res1, res1_failure =
-        separate_results
-          (interp_str_expr stk b inp ctx sta se1)
-      in
-      let res1' =
-        let for_res1 arg
+        | IAssignment var se ->
+          let str_stas, str_stas_failure =
+            separate_results
+              (interp_str_expr stk True inp ctx sta se)
+          in
+          let str_stas_failure = Results.stas_as_failures ctx str_stas_failure in
+          let res =
+            Results.inject inp
+              (Cn.map (fun arg -> assignment_for_str_sta ctx var arg) str_stas)
+          in
+          Results.(union res str_stas_failure)
           ensures {
-            let sta1, (str1, b1) = arg in
-            forall sta2.
-            eval_str_expr stk b (inp, ctx, sta) se1 (sta1, Ok (str1, b1)) ->
-            eval_str_expr stk b1 (inp, ctx, sta1) se2 (sta2, Incomplete) ->
-            Cn.mem (sta2, Incomplete) result
+            forall sta'.
+            eval_str_expr stk True (inp, ctx, sta) se (sta', Incomplete) ->
+            Cn.mem {state=sta'; context=ctx; data=()} result.Results.failure
           }
+
+        | IExport id ->
+          let sta' =
+            let ctx' =
+              let var_val = {ctx.var_env[id] with exported=True} in
+              let var_env' = ctx.var_env[id <- var_val] in
+              {ctx with var_env = var_env'; result = True}
+            in
+            {state = sta; context = ctx'; data=()}
+          in
+          Results.({empty with normal = Cn.singleton sta'})
+
+        | ISequence ins1 ins2 ->
+          let res1_normal, res1_other =
+            Results.separate_normal
+              (interp_instr stk inp ctx sta ins1)
+          in
+          let res2 = interp_instr' stk inp res1_normal ins2 in
+          Results.union res2 res1_other
+
+        | ISubshell ins ->
+          let stas, stas_failure =
+            Results.separate_non_failure
+              (interp_instr stk inp ctx sta ins)
+          in
+          assert {
+            forall sta' ctx' bhv.
+            bhv <> BIncomplete ->
+            eval_instruction stk (inp, ctx, sta) ins (sta', ctx', bhv) ->
+            Cn.mem {state=sta'; context=ctx'; data=()} stas
+          };
+          let stas' =
+            let aux sta =
+              let ctx' = {ctx with result = sta.context.result} in
+              {state=sta.state; context=ctx'; data=()}
+            in
+            Cn.map aux stas
+          in
+          let old_ctx_with_res sta = {sta with context={ctx with result=sta.context.result}} in
+          Results.(union
+              (inject inp stas')
+              {empty with failure=Cn.map old_ctx_with_res stas_failure})
           ensures {
-            let sta1, (str1, b1) = arg in
-            forall sta2 str2 b2.
-            eval_str_expr stk b (inp, ctx, sta) se1 (sta1, Ok (str1, b1)) ->
-            eval_str_expr stk b1 (inp, ctx, sta1) se2 (sta2, Ok (str2, b2)) ->
-            Cn.mem (sta2, Ok (String.concat str1 str2, b2)) result
+            forall sta' ctx'.
+            eval_instruction stk (inp, ctx, sta) ins (sta', ctx', BIncomplete) ->
+            Results.mem {state=sta'; context={ctx with result=ctx'.result}; data=()} BIncomplete result
+          }
+
+        | INoOutput ins ->
+          Results.map (reset_output sta)
+            (interp_instr stk inp ctx sta ins)
+
+        | IIf ins1 ins2 ins3 ->
+          let res1_normal, res1_other =
+            Results.separate_normal
+              (interp_instr stk {inp with under_condition=True} ctx sta ins1)
+          in
+          let res2 =
+            let res1_true, res1_false =
+              Cn.partition
+                (fun sta -> sta.context.result)
+                res1_normal
+            in
+            Results.union
+              (interp_instr' stk inp res1_true ins2)
+              (interp_instr' stk inp res1_false ins3)
+          in
+          Results.union res2 res1_other
+
+        | ICd se ->
+          let res1, res1_failures =
+            separate_results
+              (interp_str_expr stk True inp ctx sta se) in
+          let res2a =
+            let function aux arg =
+              let sta1, (s, (_:bool)) = arg in
+              let cwd_p = absolute_or_concat_relative ctx.cwd s in
+              let pwd_s = normalized_path_to_string cwd_p in
+              let args = Cons "-d" (Cons pwd_s Nil) in
+              Cn.map (fun arg -> let sta2, r = arg in ((sta2, cwd_p, pwd_s), r))
+                (sym_interp_utility (utility_context args ctx, identifier_test, sta1)) in
+            Cn.bind aux res1 in
+          let res2, res2_failures = separate_results res2a in
+          let function aux' arg =
+            let (sta2, cwd_p, pwd_s), b = arg in
+            if b then
+              let ctx' = {
+                ctx with
+                var_env = ctx.var_env[identifier_pwd <- pwd_s]';
+                Context.cwd = cwd_p;
+                result = True } in 
+              {state = sta2; context = ctx'; data = ()}
+            else
+              let ctx' = {ctx with result = False} in
+              {state = sta2; context = ctx'; data = ()} in
+          let res2' = Cn.map aux' res2 in
+          let res3 = Results.inject inp res2' in
+          let res2_failures' = Cn.map (fun arg -> let sta, _, _ = arg in sta) res2_failures in
+          let res_failures = Results.stas_as_failures ctx (Cn.union res1_failures res2_failures') in
+          Results.union res3 res_failures
+          ensures { [@expl:cd_arg_failure]
+            forall sta1.
+            eval_str_expr stk True (inp, ctx, sta) se (sta1, Incomplete) ->
+            Results.mem {state=sta1; context=ctx; data=()} BIncomplete result
+          }
+          ensures { [@expl:cd_incomplete]
+            forall sta1 s b sta2.
+            eval_str_expr stk True (inp, ctx, sta) se (sta1, Ok (s, b)) ->
+            let cwd_p = absolute_or_concat_relative ctx.Context.cwd s in
+            let pwd_s = normalized_path_to_string cwd_p in
+            let args = Cons "-d" (Cons pwd_s Nil) in
+            interp_utility (utility_context args ctx, identifier_test, sta1) (sta2, Incomplete) ->
+            Results.mem {state=sta2; context=ctx; data=()} BIncomplete result
+            by Cn.mem (sta1, (s, b)) res1
+            so Cn.mem (sta2, Incomplete) (sym_interp_utility (utility_context args ctx, identifier_test, sta1))
+            so Cn.mem (sta2, cwd_p, pwd_s) res2_failures
+          }
+          ensures { [@expl:cd_no_dir]
+            forall sta1 s b sta2.
+            eval_str_expr stk True (inp, ctx, sta) se (sta1, Ok (s, b)) ->
+            let cwd_p = absolute_or_concat_relative ctx.Context.cwd s in
+            let pwd_s = normalized_path_to_string cwd_p in
+            let args = Cons "-d" (Cons pwd_s Nil) in
+            interp_utility (utility_context args ctx, identifier_test, sta1) (sta2, Ok False) ->
+            let ctx' = {ctx with result = False} in
+            let bhv = behaviour inp False in
+            Results.mem {state=sta2; context=ctx'; data=()} bhv result
+            by Cn.mem (sta1, (s, b)) res1
+            so Cn.mem (sta2, Ok False) (sym_interp_utility (utility_context args ctx, identifier_test, sta1))
+            so Cn.mem ((sta2, cwd_p, pwd_s), False) res2
+            so Cn.mem {state=sta2; context=ctx'; data=()} res2'
           }
-        = let sta1, (str1, b1) = arg in
-          let res2, res2_failure =
+          ensures { [@expl:cd]
+            forall sta1 s b sta2.
+            eval_str_expr stk True (inp, ctx, sta) se (sta1, Ok (s, b)) ->
+            let cwd_p = absolute_or_concat_relative ctx.Context.cwd s in
+            let pwd_s = normalized_path_to_string cwd_p in
+            let args = Cons "-d" (Cons pwd_s Nil) in
+            interp_utility (utility_context args ctx, identifier_test, sta1) (sta2, Ok True) ->
+            let ctx1 = {ctx with result = True; var_env = ctx.var_env[identifier_pwd <- pwd_s]'; Context.cwd = cwd_p} in
+            let bhv = behaviour inp True in
+            Results.mem {state=sta2; context=ctx1; data=()} bhv result
+            by Cn.mem (sta1, (s, b)) res1
+            so Cn.mem (sta2, Ok True) (sym_interp_utility (utility_context args ctx, identifier_test, sta1))
+            so Cn.mem ((sta2, cwd_p, pwd_s), True) res2
+            so Cn.mem {state=sta2; context=ctx1; data=()} res2'
+          }
+
+        | ICallUtility id le ->
+          let res, res_failures =
+            separate_results
+              (interp_list_expr stk inp ctx sta le) in
+          let function aux arg =
+            let sta', args = arg in
+            sym_interp_utility (utility_context args ctx, id, sta') in
+          let res', res_failures' =
+            separate_results (Cn.bind aux res) in
+          let function aux' arg =
+            let sta'', b = arg in
+            {state=sta''; context={ctx with result=b}; data=()} in
+          let res'' = Cn.map aux' res' in
+          let res''' = Results.inject inp res'' in
+          let res_failures' = Results.stas_as_failures ctx (Cn.union res_failures res_failures') in
+          Results.union res''' res_failures'
+          ensures { [@expl:args_incomplete]
+            forall sta'.
+            eval_list_expr stk (inp, ctx, sta) le (sta', Incomplete) ->
+            Results.mem {state=sta'; context=ctx; data=()} BIncomplete result 
+          }
+          ensures { [@expl:utility_incomplete]
+            forall sta' ss sta''.
+            eval_list_expr stk (inp, ctx, sta) le (sta', Ok ss) ->
+            interp_utility (utility_context ss ctx, id, sta') (sta'', Incomplete) ->
+            Results.mem {state=sta''; context=ctx; data=()} BIncomplete result
+            by Results.mem {state=sta''; context=ctx; data=()} BIncomplete res_failures'
+          }
+          ensures { [@expl:utility]
+            forall sta' ss sta'' b.
+            eval_list_expr stk (inp, ctx, sta) le (sta', Ok ss) ->
+            interp_utility (utility_context ss ctx, id, sta') (sta'', Ok b) ->
+            let ctx' = {ctx with result=b} in
+            Results.mem {state=sta''; context=ctx'; data=()} (behaviour inp b) result
+            by Cn.mem {state=sta''; context=ctx'; data=()} res''
+          }
+
+        | ICallFunction id le ->
+          let arg_res, arg_res_failures =
             separate_results
-              (interp_str_expr stk b1 inp ctx sta1 se2)
+              (interp_list_expr stk inp ctx sta le)
           in
-          let res2_failure' =
-            Cn.map (fun sta -> sta, Incomplete) res2_failure
+          assert { [@expl:callfun1]
+            forall sta1 args.
+            eval_list_expr stk (inp, ctx, sta) le (sta1, Ok args) ->
+            Cn.mem (sta1, args) arg_res
+          };
+          let res =
+            match ctx.func_env[id] with
+            | Some ins -> (* Function defined as `ins` *)
+                if stk = get_finite inp.config.stack_size then (* Stack overflow *)
+                  let aux arg =
+                    let sta', _ = arg in
+                    let sta' = { sta' with log = Stdout.(newline (output stack_limit_message sta'.log)) } in
+                    {state=sta'; context=ctx; data=()}
+                  in
+                  Results.({empty with failure = Cn.map aux arg_res})
+                  ensures { [@expl:callfun2]
+                    forall sta1 args ins.
+                    eval_list_expr stk (inp, ctx, sta) le (sta1, Ok args) ->
+                    ctx.func_env[id] = Some ins ->
+                    inp.config.stack_size = Finite stk ->
+                    let sta1' = { sta1 with log = Stdout.(newline (output stack_limit_message sta1.log)) } in
+                    Results.mem {state=sta1'; context=ctx; data=()} BIncomplete result
+                  }
+                else (* Execute function *)
+                  let res2 =
+                    let function aux (arg: (state, list string))  =
+                      let sta1, args = arg in
+                      let inp1 = { inp with argument0 = identifier_to_string id } in
+                      let ctx1 = { ctx with arguments = args } in
+                      interp_instr (stk+1) inp1 ctx1 sta1 ins
+                    in
+                    Results.bind_collection aux arg_res
+                    ensures { [@expl:callfun3]
+                      forall sta1 args ins sta2 ctx2 bhv2.
+                      eval_list_expr stk (inp, ctx, sta) le (sta1, Ok args) ->
+                      ctx.func_env[id] = Some ins ->
+                      inp.config.stack_size <> Finite stk ->
+                      let inp1 = { inp with argument0 = identifier_to_string id } in
+                      let ctx1 = { ctx with arguments = args } in
+                      eval_instruction (stk+1) (inp1, ctx1, sta1) ins (sta2, ctx2, bhv2) ->
+                      Results.mem {state=sta2; context=ctx2; data=()} bhv2 result
+                    }
+                  in
+                  let res2' =
+                    let function aux (sta2: sym_state unit) =
+                      {state=sta2.state; context={sta2.context with arguments = ctx.arguments}; data=()}
+                    in
+                    Results.map aux res2
+                    ensures { [@expl:callfun4]
+                      forall sta1 args ins sta2 ctx2 bhv2.
+                      eval_list_expr stk (inp, ctx, sta) le (sta1, Ok args) ->
+                      ctx.func_env[id] = Some ins ->
+                      inp.config.stack_size <> Finite stk ->
+                      let inp1 = { inp with argument0 = identifier_to_string id } in
+                      let ctx1 = { ctx with arguments = args } in
+                      eval_instruction (stk+1) (inp1, ctx1, sta1) ins (sta2, ctx2, bhv2) ->
+                      Results.mem {state=sta2; context={ctx2 with arguments = ctx.arguments}; data=()} bhv2 result
+                    }
+                  in
+                  Results.({res2' with normal=Cn.union res2'.normal res2'.return_; return_=Cn.empty})
+                  ensures { [@expl:callfun5]
+                    forall sta1 args ins sta2 ctx2 bhv2.
+                    eval_list_expr stk (inp, ctx, sta) le (sta1, Ok args) ->
+                    ctx.func_env[id] = Some ins ->
+                    inp.config.stack_size <> Finite stk ->
+                    let inp1 = {inp with argument0=identifier_to_string id} in
+                    let ctx1 = {ctx with arguments=args} in
+                    eval_instruction (stk+1) (inp1, ctx1, sta1) ins (sta2, ctx2, bhv2) ->
+                    let bhv' = match bhv2 with BNormal | BReturn -> BNormal | BExit -> BExit | BIncomplete -> BIncomplete end in
+                    let ctx' = { ctx2 with arguments = ctx.arguments } in
+                    Results.mem {state=sta2; context=ctx'; data=()} bhv' result
+                  }
+            | None -> (* Undefined function *)
+                let arg_res' =
+                  let function aux (arg: (state, list string)) =
+                    let sta', _ = arg in
+                    {state=sta'; context={ctx with result=False}; data=()}
+                  in
+                  Cn.map aux arg_res
+                  ensures {
+                    forall sta' ss.
+                    eval_list_expr stk (inp, ctx, sta) le (sta', Ok ss) ->
+                    ctx.func_env[id] = None ->
+                    Cn.mem {state=sta'; context={ctx with result=False}; data=()} result
+                    by Cn.mem (sta', ss) arg_res
+                  }
+                in
+                Results.single_behaviour (behaviour inp False) arg_res'
+                ensures {
+                  forall sta' ss.
+                  eval_list_expr stk (inp, ctx, sta) le (sta', Ok ss) ->
+                  ctx.func_env[id] = None ->
+                  Results.mem {state=sta'; context={ctx with result=False}; data=()} (behaviour inp False) result
+                }
+            end
+          in
+          let res_failures = Results.stas_as_failures ctx arg_res_failures in
+          Results.union res res_failures
+
+        | IShift bn ->
+          match shift_arguments (option_get (mk_nat 1) bn).nat ctx.arguments with
+          | Some args ->
+            let ctx' = {ctx with result = True; arguments = args} in
+            let sta' = {state = sta; context = ctx'; data=()} in
+            Results.({empty with normal = Cn.singleton sta'})
+          | None ->
+            let ctx' = {ctx with result = False} in
+            let sta' = {state = sta; context = ctx'; data=()} in
+            Results.inject inp (Cn.singleton sta')
+          end
+
+        | IForeach id le ins ->
+          let lst_res, lst_res_failures =
+            separate_results
+              (interp_list_expr stk inp ctx sta le)
+          in
+          assert {
+            forall sta' ss.
+            eval_list_expr stk (inp, ctx, sta) le (sta', Ok ss) -> 
+            Cn.mem (sta', ss) lst_res
+          };
+          let res_loop_cont =
+            (* Execute foreach loop on a result from interp_list_expr *)
+            let function aux arg =
+              let sta', ss = arg in
+              interp_foreach True stk inp ctx sta' id ss ins
+            in
+            Results.bind_collection aux lst_res
+            ensures {
+              forall sta' ss sta'' ctx' bhv b.
+              eval_list_expr stk (inp, ctx, sta) le (sta', Ok ss) -> 
+              eval_foreach stk True (inp, ctx, sta') id ss ins (sta'', ctx', bhv) b ->
+              Results.mem {state=sta''; context=ctx'; data=b} bhv result
+            }
+          in
+          let res_loop_cont' =
+            let function aux sta'' =
+              let ctx'' = {sta''.context with result=sta''.data} in
+              with_data () {sta'' with context = ctx''}
+            in
+            Results.map aux res_loop_cont
+            ensures {
+              forall sta' ss sta'' ctx' bhv b.
+              eval_list_expr stk (inp, ctx, sta) le (sta', Ok ss) -> 
+              eval_foreach stk True (inp, ctx, sta') id ss ins (sta'', ctx', bhv) b ->
+
+              Results.mem {state=sta''; context={ctx' with result=b}; data=()} bhv result
+            }
+          in
+          let res_failure =
+            Results.stas_as_failures ctx lst_res_failures
+            ensures {
+              forall sta'.
+              eval_list_expr stk (inp, ctx, sta) le (sta', Incomplete) -> 
+              Results.mem {state=sta'; context=ctx; data=()} BIncomplete result
+            }
+          in
+          Results.(union res_loop_cont' res_failure)
+
+        | IWhile ins1 ins2 ->
+          let res = interp_while True 0 stk inp ctx sta ins1 ins2 in
+          let function aux_normal (sta': sym_state (int, bool)) =
+            let _, b = sta'.data in
+            {state=sta'.state; context={sta'.context with result=b}; data=()}
+          in
+          let function aux_other (sta': sym_state (int, bool)) =
+            {sta' with data=()}
+          in
+          Results.({normal=Cn.map aux_normal res.normal;
+              exit=Cn.map aux_other res.exit;
+              return_=Cn.map aux_other res.return_;
+              failure=Cn.map aux_other res.failure})
+          ensures {
+            forall sta' ctx' bhv ctr b.
+            bhv <> BNormal ->
+            eval_while stk 0 True (inp, ctx, sta) ins1 ins2 (sta', ctx', bhv) ctr b ->
+            Results.mem {state=sta'; context=ctx'; data=()}  bhv result
+          }
+          ensures {
+            forall sta' ctx' ctr b.
+            eval_while stk 0 True (inp, ctx, sta) ins1 ins2 (sta', ctx', BNormal) ctr b ->
+            Results.mem {state=sta'; context={ctx' with result=b}; data=()} BNormal result
+          }
+
+        | IPipe ins1 ins2 ->
+          let stas1, stas1_failure =
+            Results.separate_non_failure
+              (interp_instr stk inp ctx {sta with stdout=Stdout.empty} ins1)
+          in
+          assert {
+            forall sta1 ctx1 bhv1.
+            eval_instruction stk (inp, ctx, {sta with stdout=Stdout.empty}) ins1 (sta1, ctx1, bhv1) ->
+            bhv1 <> BIncomplete ->
+            Cn.mem {state=sta1; context=ctx1; data=()} stas1
+          };
+          let stas1': Cn.t (sym_state stdin) = (* data is sta1.state.stdin *)
+            let function aux (sta1: sym_state unit) =
+              {state={sta1.state with stdout=sta.stdout; stdin=Stdout.to_stdin sta1.state.stdout}; context=ctx; data=sta1.state.stdin}
+            in
+            Cn.map aux stas1
+            ensures {
+              forall sta1 ctx1 bhv1.
+              eval_instruction stk (inp, ctx, {sta with stdout=Stdout.empty}) ins1 (sta1, ctx1, bhv1) ->
+              bhv1 <> BIncomplete ->
+              Cn.mem
+                {state={sta1 with stdout=sta.stdout; stdin=Stdout.to_stdin sta1.stdout}; context=ctx; data=sta1.stdin}
+                result
+            }
+          in
+          let res2: Results.t stdin = (* data is sta1.state.stdin *)
+            interp_instr' stk inp stas1' ins2
+            ensures {
+              forall sta1 ctx1 bhv1 sta2 ctx2 bhv2.
+              eval_instruction stk (inp, ctx, {sta with stdout=Stdout.empty}) ins1 (sta1, ctx1, bhv1) -> 
+              bhv1 <> BIncomplete ->
+              eval_instruction stk (inp, ctx, {sta1 with stdout=sta.stdout; stdin=Stdout.to_stdin sta1.stdout}) ins2 (sta2, ctx2, bhv2) ->
+              Results.mem {state=sta2; context=ctx2; data=sta1.stdin} bhv2 result
+            }
           in
           let res2' =
-            let for_res2 arg2 =
-              let sta2, (str2, b2) = arg2 in
-              sta2, Ok (String.concat str1 str2, b2)
+            let function aux sta2 =
+              {state={sta2.state with stdin=sta2.data};
+              context={ctx with result=sta2.context.result};
+              data=()}
             in
-            Cn.map for_res2 res2
+            Results.map aux res2
+            ensures {
+              forall sta1 ctx1 bhv1 sta2 ctx2 bhv2.
+              eval_instruction stk (inp, ctx, {sta with stdout=Stdout.empty}) ins1 (sta1, ctx1, bhv1) -> 
+              bhv1 <> BIncomplete ->
+              eval_instruction stk (inp, ctx, {sta1 with stdout=sta.stdout; stdin=Stdout.to_stdin sta1.stdout}) ins2 (sta2, ctx2, bhv2) ->
+              Results.mem {state={sta2 with stdin=sta1.stdin}; context={ctx with result=ctx2.result}; data=()} bhv2 result
+            }
           in
-          Cn.(union res2' res2_failure')
-        in
-        Cn.bind for_res1 res1
-      in
-      let res1_failure' =
-        Cn.map (fun sta -> sta, Incomplete) res1_failure
-      in
-      Cn.(union res1' res1_failure')
-    end
+          let sta1_failure' =
+            let function aux (sta1: sym_state unit) =
+              {state={sta1.state with stdout=sta.stdout}; context=ctx; data=()}
+            in
+            Cn.map aux stas1_failure
+            ensures {
+              forall sta1 ctx1.
+              eval_instruction stk (inp, ctx, {sta with stdout=Stdout.empty}) ins1 (sta1, ctx1, BIncomplete) -> 
+              Cn.mem {state={sta1 with stdout=sta.stdout}; context=ctx; data=()} result
+            }
+          in
+          Results.(union res2' {empty with failure=sta1_failure'})
+
+        | IExit code ->
+          let r =
+            match code with
+            | RPrevious -> ctx.result
+            | RSuccess -> True
+            | RFailure -> False
+            end
+          in
+          let sta = {state=sta; context={ctx with result=r}; data=()} in
+          Results.({empty with exit = Cn.singleton sta})
+
+        | IReturn code ->
+          let r =
+            match code with
+            | RPrevious -> ctx.result
+            | RSuccess -> True
+            | RFailure -> False
+            end
+          in
+          let sta =
+            let ctx' = {ctx with result = r} in
+            {state = sta; context = ctx'; data=()}
+          in
+          Results.({empty with return_ = Cn.singleton sta})
+        end
+
+      with interp_foreach (b:bool) (stk:int) (inp:input) (ctx:context) (sta:state) (id:identifier) (ss:list string) (ins:instruction) : Results.t bool
+        variant { get_finite inp.config.stack_size - stk, size_instr ins, L.length ss }
+        requires { inp.config.loop_limit <> Infinite /\ inp.config.stack_size <> Infinite }
+        requires { stk <= get_finite inp.config.stack_size }
+        ensures {
+          forall sta' ctx' bhv b'.
+          eval_foreach stk b (inp, ctx, sta) id ss ins (sta', ctx', bhv) b' ->
+          Results.mem {state=sta'; context=ctx'; data=b'} bhv result
+        }
+      = match ss with
+        | Nil ->
+          Results.({empty with normal=Cn.singleton {state=sta; context=ctx; data=b}})
+        | Cons s ss' ->
+          let res1_normal, res1_other =
+            Results.separate_normal
+              (interp_instr stk inp {ctx with var_env = ctx.var_env[id <- s]'} sta ins)
+          in
+          let res_normal' =
+            let function aux (sta1: sym_state unit) =
+              interp_foreach sta1.context.result stk inp sta1.context sta1.state id ss' ins
+            in
+            Results.bind_collection aux res1_normal
+            ensures {
+              forall sta1 ctx1 sta2 ctx2 bhv2 b2.
+              eval_instruction stk (inp, {ctx with var_env=ctx.var_env[id <- s]'}, sta) ins (sta1, ctx1, BNormal) ->
+              eval_foreach stk ctx1.result (inp, ctx1, sta1) id ss' ins (sta2, ctx2, bhv2) b2 ->
+              Results.mem {state=sta2; context=ctx2; data=b2} bhv2 result
+            }
+          in
+          let res1_other' =
+            let function aux (sta: sym_state unit) =
+              with_data sta.context.result sta
+            in
+            Results.map aux res1_other
+            ensures {
+              forall sta1 ctx1 bhv1.
+              eval_instruction stk (inp, {ctx with var_env=ctx.var_env[id <- s]'}, sta) ins (sta1, ctx1, bhv1) ->
+              bhv1 <> BNormal ->
+              Results.mem {state=sta1; context=ctx1; data=ctx1.result} bhv1 result
+            }
+          in
+          Results.union res_normal' res1_other'
+        end
 
-  with interp_list_expr (stk:int) (inp:input) (ctx:context) (sta:state) (le:list_expression)
-    : Cn.t (state, result (list string))
-    variant { get_finite inp.config.stack_size - stk, size_list_expr le, -1 }
-    requires { inp.config.loop_limit <> Infinite /\ inp.config.stack_size <> Infinite }
-    requires { stk <= get_finite inp.config.stack_size }
-    ensures { (* Over-approximation *)
-      forall sta' res.
-      eval_list_expr stk (inp, ctx, sta) le (sta', res) ->
-      Cn.mem (sta', res) result
-    }
-  = match le with
-    | Nil ->
-      Cn.singleton (sta, Ok Nil)
-    | Cons (se, sp) le' ->
-      let str_res1, str_res1_failures =
-        separate_results
-          (interp_str_expr stk True inp ctx sta se : Cn.t (state, result (string, bool)))
-      in
-      let res2 =
-        let for_sta_str (arg: (state, (string, bool)))
+      with interp_while b ctr stk inp ctx (sta:state) ins1 ins2 : Results.t (int, bool)
+        variant { get_finite inp.config.stack_size - stk, size_instr ins1+size_instr ins2, get_finite inp.config.loop_limit - ctr  }
+        requires { inp.config.loop_limit <> Infinite /\ inp.config.stack_size <> Infinite }
+        requires { 0 <= ctr <= get_finite inp.config.loop_limit }
+        requires { stk <= get_finite inp.config.stack_size }
+        ensures {
+          forall sta' ctx' bhv ctr' b'.
+          eval_while stk ctr b (inp, ctx, sta) ins1 ins2 (sta', ctx', bhv) ctr' b' ->
+          Results.mem {state=sta'; context=ctx'; data=(ctr', b')} bhv result
+        }
+      = let loop_limit = get_finite inp.config.loop_limit in
+        if ctr = loop_limit then
+          let sta = { sta with log = Stdout.(newline (output loop_limit_message sta.log)) } in
+          Results.({empty with failure=Cn.singleton {state=sta; context=ctx; data=(ctr, b)}})
+        else
+          let res1_normal, res1_abort =
+            Results.separate_normal
+              (interp_instr stk {inp with under_condition=True} ctx sta ins1)
+          in
+          assert {
+            forall sta1 ctx1.
+            eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, BNormal) ->
+            Cn.mem {state=sta1; context=ctx1; data=()} res1_normal
+          };
+          assert {
+            forall sta1 ctx1 bhv1.
+            bhv1 <> BNormal ->
+            eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, bhv1) ->
+            Results.mem {state=sta1; context=ctx1; data=()} bhv1 res1_abort
+          };
+          let res1_true, res1_false =
+            Cn.partition (fun sta -> sta.context.result) res1_normal
+          in
+          assert {
+            forall sta1 ctx1.
+            eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, BNormal) ->
+            ctx1.result = True ->
+            Cn.mem {state=sta1; context=ctx1; data=()} res1_true
+          };
+          assert {
+            forall sta1 ctx1.
+            eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, BNormal) ->
+            ctx1.result = False ->
+            Cn.mem {state=sta1; context=ctx1; data=()} res1_false
+          };
+          let res2_normal, res2_abort =
+            Results.separate_normal
+              (interp_instr' stk inp res1_true ins2)
+          in
+          assert {
+            forall sta1 ctx1 sta2 ctx2.
+            eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, BNormal) ->
+            ctx1.result = True ->
+            eval_instruction stk (inp, ctx1, sta1) ins2 (sta2, ctx2, BNormal) ->
+            Cn.mem {state=sta2; context=ctx2; data=()} res2_normal
+          };
+          assert {
+            forall sta1 ctx1 sta2 ctx2 bhv2.
+            eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, BNormal) ->
+            ctx1.result = True ->
+            eval_instruction stk (inp, ctx1, sta1) ins2 (sta2, ctx2, bhv2) ->
+            bhv2 <> BNormal ->
+            Results.mem {state=sta2; context=ctx2; data=()} bhv2 res2_abort
+          };
+          let res3 =
+            let function aux (sta2:sym_state unit) =
+              interp_while sta2.context.result (ctr+1) stk inp sta2.context sta2.state ins1 ins2
+            in
+            Results.bind_collection aux res2_normal
+            ensures {
+              forall sta1 ctx1 sta2 ctx2 sta3 ctx3 bhv3 n b'.
+              inp.config.loop_limit <> Finite ctr ->
+              eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, BNormal) ->
+              ctx1.result = True ->
+              eval_instruction stk (inp, ctx1, sta1) ins2 (sta2, ctx2, BNormal) ->
+              eval_while stk (ctr+1) ctx2.result (inp, ctx2, sta2) ins1 ins2 (sta3, ctx3, bhv3) n b' ->
+              Results.mem {state=sta3;context=ctx3;data=(n, b')} bhv3 result
+            }
+          in
+          let function with_ctr_b (sta:sym_state unit) =
+            {sta with data=(ctr, b)}
+          in
+          let res1_abort' =
+            Results.map with_ctr_b res1_abort
+            ensures {
+              forall sta1 ctx1 bhv1.
+              inp.config.loop_limit <> Finite ctr ->
+              bhv1 <> BNormal ->
+              eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, bhv1) ->
+              Results.mem {state=sta1;context=ctx1;data=(ctr, b)} bhv1 result
+            }
+          in
+          let res1_false' =
+            Results.({empty with normal=Cn.map with_ctr_b res1_false})
+            ensures {
+              forall sta1 ctx1.
+              inp.config.loop_limit <> Finite ctr ->
+              ctx1.result = False ->
+              eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, BNormal) ->
+              Results.mem {state=sta1;context=ctx1;data=(ctr, b)} BNormal result
+            }
+          in
+          let res2_abort' =
+            Results.map with_ctr_b res2_abort
+            ensures {
+              forall sta1 ctx1 sta2 ctx2 bhv2.
+              inp.config.loop_limit <> Finite ctr ->
+              eval_instruction stk ({inp with under_condition = True}, ctx, sta) ins1 (sta1, ctx1, BNormal) ->
+              ctx1.result = True ->
+              eval_instruction stk (inp, ctx1, sta1) ins2 (sta2, ctx2, bhv2) ->
+              bhv2 <> BNormal ->
+              Results.mem {state=sta2;context=ctx2;data=(ctr, b)} bhv2 result
+            }
+          in
+          Results.(union res3 (union res1_abort' (union res1_false' res2_abort')))
+
+      with interp_instr' (stk:int) (inp:input) (stas: Cn.t (sym_state 'a)) (ins:instruction) : Results.t 'a
+        variant { get_finite inp.config.stack_size - stk, size_instr ins, Cn.size stas }
+        requires { inp.config.loop_limit <> Infinite /\ inp.config.stack_size <> Infinite }
+        requires { stk <= get_finite inp.config.stack_size }
+        ensures { (* Over-approximation *)
+          forall sta sta' ctx' bhv.
+          Cn.mem sta stas ->
+          eval_instruction stk (inp, sta.context, sta.state) ins (sta', ctx', bhv) ->
+          Results.mem {state=sta'; context=ctx'; data=sta.data} bhv result
+        }
+      = let interp_instr_with_data sta =
           ensures {
-            let sta1, (str1, b1) = arg in
-            forall sta2.
-            eval_str_expr stk True (inp, ctx, sta) se (sta1, Ok (str1, b1)) ->
-            eval_list_expr stk (inp, ctx, sta1) le' (sta2, Incomplete) ->
-            Cn.mem (sta2, Incomplete) result
+            forall sta' ctx' bhv.
+            eval_instruction stk (inp, sta.context, sta.state) ins (sta', ctx', bhv) ->
+            Results.mem {state=sta'; context=ctx'; data=sta.data} bhv result
+          }
+          Results.map (with_data sta.data)
+            (interp_instr stk inp sta.context sta.state ins)
+        in
+        Results.bind_collection interp_instr_with_data stas
+
+      with interp_str_expr (stk:int) (b:bool) (inp:input) (ctx:context) (sta:state) (se:string_expression)
+        : Cn.t (state, result (string, bool))
+        variant { get_finite inp.config.stack_size - stk, size_string_expr se, -1 }
+        requires { inp.config.loop_limit <> Infinite /\ inp.config.stack_size <> Infinite }
+        requires { stk <= get_finite inp.config.stack_size }
+        ensures { (* Over-approximation *)
+          forall sta' res.
+          eval_str_expr stk b (inp, ctx, sta) se (sta', res) ->
+          Cn.mem (sta', res) result
+        }
+      = match se with
+        | SLiteral str ->
+          Cn.singleton (sta, Ok (str, b))
+        | SVariable var ->
+          let str = ctx.var_env[var]' in
+          Cn.singleton (sta, Ok (str, b))
+        | SArgument n ->
+          let str = nth_argument (Cons inp.argument0 ctx.arguments) n.nat in
+          Cn.singleton (sta, Ok (str, b))
+        | SSubshell ins ->
+          let res, stas_failure =
+            Results.separate_non_failure
+              (interp_instr stk inp ctx {sta with stdout=Stdout.empty} ins)
+          in
+          assert {
+            forall sta1 ctx1 bhv1.
+            eval_instruction stk (inp, ctx, {sta with stdout=Stdout.empty}) ins (sta1, ctx1, bhv1) ->
+            bhv1 <> BIncomplete ->
+            Cn.mem {state=sta1; context=ctx1; data=()} res
+          };
+          assert {
+            forall sta1 ctx1.
+            eval_instruction stk (inp, ctx, {sta with stdout=Stdout.empty}) ins (sta1, ctx1, BIncomplete) ->
+            Cn.mem {state=sta1; context=ctx1; data=()} stas_failure
+          };
+          let res' =
+            let for_res (sta1:sym_state unit) =
+              let str = Stdout.to_string sta1.state.stdout in
+              let sta1' = {sta1.state with stdout=sta.stdout} in
+              let b' = sta1.context.result in
+              sta1', Ok (str, b')
+            in
+            Cn.map for_res res
+          in
+          let res_failure' =
+            Cn.map (fun sta1 -> {sta1.state with stdout=sta.stdout}, Incomplete) stas_failure
+          in
+          Cn.union res' res_failure'
+          ensures {
+            forall sta1 ctx1.
+            eval_instruction stk (inp, ctx, {sta with stdout=Stdout.empty}) ins (sta1, ctx1, BIncomplete) ->
+            Cn.mem ({sta1 with stdout = sta.stdout}, Incomplete) result
+            by Cn.mem ({sta1 with stdout = sta.stdout}, Incomplete) res_failure'
           }
           ensures {
-            let sta1, (str1, b1) = arg in
-            forall sta2 l2.
-            eval_str_expr stk True (inp, ctx, sta) se (sta1, Ok (str1, b1)) ->
-            eval_list_expr stk (inp, ctx, sta1) le' (sta2, Ok l2) ->
-            Cn.mem (sta2, Ok L.(split sp str1++l2)) result
+            forall sta1 ctx1 bhv1.
+            eval_instruction stk (inp, ctx, {sta with stdout=Stdout.empty}) ins (sta1, ctx1, bhv1) ->
+            bhv1 <> BIncomplete ->
+            Cn.mem ({sta1 with stdout = sta.stdout}, Ok (Stdout.to_string sta1.stdout, ctx1.result)) result
+            by Cn.mem ({sta1 with stdout = sta.stdout}, Ok (Stdout.to_string sta1.stdout, ctx1.result)) res'
           }
-        = let sta1, (str1, _) = arg in
-          let lst_res2: Cn.t (state, list string), lst_res2_failures: Cn.t state =
+        | SConcat se1 se2 ->
+          let res1, res1_failure =
             separate_results
-              (interp_list_expr stk inp ctx sta1 le')
+              (interp_str_expr stk b inp ctx sta se1)
           in
-          let lst_res2' =
-            Cn.map (fun arg -> let sta2, strs2 = arg in sta2, Ok L.(split sp str1++strs2)) lst_res2
+          let res1' =
+            let for_res1 arg
+              ensures {
+                let sta1, (str1, b1) = arg in
+                forall sta2.
+                eval_str_expr stk b (inp, ctx, sta) se1 (sta1, Ok (str1, b1)) ->
+                eval_str_expr stk b1 (inp, ctx, sta1) se2 (sta2, Incomplete) ->
+                Cn.mem (sta2, Incomplete) result
+              }
+              ensures {
+                let sta1, (str1, b1) = arg in
+                forall sta2 str2 b2.
+                eval_str_expr stk b (inp, ctx, sta) se1 (sta1, Ok (str1, b1)) ->
+                eval_str_expr stk b1 (inp, ctx, sta1) se2 (sta2, Ok (str2, b2)) ->
+                Cn.mem (sta2, Ok (String.concat str1 str2, b2)) result
+              }
+            = let sta1, (str1, b1) = arg in
+              let res2, res2_failure =
+                separate_results
+                  (interp_str_expr stk b1 inp ctx sta1 se2)
+              in
+              let res2_failure' =
+                Cn.map (fun sta -> sta, Incomplete) res2_failure
+              in
+              let res2' =
+                let for_res2 arg2 =
+                  let sta2, (str2, b2) = arg2 in
+                  sta2, Ok (String.concat str1 str2, b2)
+                in
+                Cn.map for_res2 res2
+              in
+              Cn.(union res2' res2_failure')
+            in
+            Cn.bind for_res1 res1
           in
-          let lst_res2_failures' =
-            Cn.map (fun sta -> sta, Incomplete) lst_res2_failures
+          let res1_failure' =
+            Cn.map (fun sta -> sta, Incomplete) res1_failure
           in
-          Cn.(union lst_res2' lst_res2_failures')
-        in
-        Cn.bind for_sta_str str_res1
-      in
-      let str_res1_failures' =
-        Cn.map (fun sta -> sta, Incomplete) str_res1_failures
-      in
-      Cn.(union res2 str_res1_failures')
-    end
+          Cn.(union res1' res1_failure')
+        end
 
-  let rec interp_function_definitions (fenv:func_env) (defs:list function_definition)
-    variant { defs }
-  = match defs with
-    | Nil -> fenv
-    | Cons (id, instr) defs' ->
-      interp_function_definitions fenv[id <- Some instr]  defs'
-    end
+      with interp_list_expr (stk:int) (inp:input) (ctx:context) (sta:state) (le:list_expression)
+        : Cn.t (state, result (list string))
+        variant { get_finite inp.config.stack_size - stk, size_list_expr le, -1 }
+        requires { inp.config.loop_limit <> Infinite /\ inp.config.stack_size <> Infinite }
+        requires { stk <= get_finite inp.config.stack_size }
+        ensures { (* Over-approximation *)
+          forall sta' res.
+          eval_list_expr stk (inp, ctx, sta) le (sta', res) ->
+          Cn.mem (sta', res) result
+        }
+      = match le with
+        | Nil ->
+          Cn.singleton (sta, Ok Nil)
+        | Cons (se, sp) le' ->
+          let str_res1, str_res1_failures =
+            separate_results
+              (interp_str_expr stk True inp ctx sta se : Cn.t (state, result (string, bool)))
+          in
+          let res2 =
+            let for_sta_str (arg: (state, (string, bool)))
+              ensures {
+                let sta1, (str1, b1) = arg in
+                forall sta2.
+                eval_str_expr stk True (inp, ctx, sta) se (sta1, Ok (str1, b1)) ->
+                eval_list_expr stk (inp, ctx, sta1) le' (sta2, Incomplete) ->
+                Cn.mem (sta2, Incomplete) result
+              }
+              ensures {
+                let sta1, (str1, b1) = arg in
+                forall sta2 l2.
+                eval_str_expr stk True (inp, ctx, sta) se (sta1, Ok (str1, b1)) ->
+                eval_list_expr stk (inp, ctx, sta1) le' (sta2, Ok l2) ->
+                Cn.mem (sta2, Ok L.(split sp str1++l2)) result
+              }
+            = let sta1, (str1, _) = arg in
+              let lst_res2: Cn.t (state, list string), lst_res2_failures: Cn.t state =
+                separate_results
+                  (interp_list_expr stk inp ctx sta1 le')
+              in
+              let lst_res2' =
+                Cn.map (fun arg -> let sta2, strs2 = arg in sta2, Ok L.(split sp str1++strs2)) lst_res2
+              in
+              let lst_res2_failures' =
+                Cn.map (fun sta -> sta, Incomplete) lst_res2_failures
+              in
+              Cn.(union lst_res2' lst_res2_failures')
+            in
+            Cn.bind for_sta_str str_res1
+          in
+          let str_res1_failures' =
+            Cn.map (fun sta -> sta, Incomplete) str_res1_failures
+          in
+          Cn.(union res2 str_res1_failures')
+        end
+
+      let rec interp_function_definitions (fenv:func_env) (defs:list function_definition)
+        variant { defs }
+      = match defs with
+        | Nil -> fenv
+        | Cons (id, instr) defs' ->
+          interp_function_definitions fenv[id <- Some instr]  defs'
+        end
 
-  let function only_states_with_result (res: bool) (stas: Cn.t (sym_state unit)) : Cn.t state =
-    Cn.(map (fun sta -> sta.state)
-          (filter (fun sta -> notb (xorb res sta.context.result))
-          stas))
-
-  let interp_program inp stas pro : (Cn.t state, Cn.t state, Cn.t state)
-    requires { inp.config.loop_limit <> Infinite }
-    requires { inp.config.stack_size <> Infinite }
-  = let stas, stas_failure =
-      let stas =
-        let aux sta =
-          let fenv = interp_function_definitions sta.context.func_env pro.function_definitions in
-          {sta with context={sta.context with func_env = fenv}}
+      let function only_states_with_result (res: bool) (stas: Cn.t (sym_state unit)) : Cn.t state =
+        Cn.(map (fun sta -> sta.state)
+              (filter (fun sta -> notb (xorb res sta.context.result))
+              stas))
+
+      let interp_program inp stas pro : (Cn.t state, Cn.t state, Cn.t state)
+        requires { inp.config.loop_limit <> Infinite }
+        requires { inp.config.stack_size <> Infinite }
+      = let stas, stas_failure =
+          let stas =
+            let aux sta =
+              let fenv = interp_function_definitions sta.context.func_env pro.function_definitions in
+              {sta with context={sta.context with func_env = fenv}}
+            in
+            Cn.map aux stas
+          in
+          Results.separate_non_failure
+            (interp_instr' 0 inp stas pro.instruction)
         in
-        Cn.map aux stas
-      in
-      Rs.separate_non_failure
-        (interp_instr' 0 inp stas pro.instruction)
-    in
-    (only_states_with_result True stas,
-     only_states_with_result False stas,
-     Cn.map (fun sta -> sta.state) stas_failure)
+        (only_states_with_result True stas,
+        only_states_with_result False stas,
+        Cn.map (fun sta -> sta.state) stas_failure)
+    end
+  end
 end
\ No newline at end of file
diff --git a/src/symbolic/symbolicInterpreter/why3session.xml b/src/symbolic/symbolicInterpreter/why3session.xml
index 66436e00..61fb9ca5 100644
--- a/src/symbolic/symbolicInterpreter/why3session.xml
+++ b/src/symbolic/symbolicInterpreter/why3session.xml
@@ -7,35 +7,66 @@
 <prover id="6" name="Z3" version="4.8.7" timelimit="5" steplimit="0" memlimit="1000"/>
 <file format="whyml" proved="true">
 <path name=".."/><path name="symbolicInterpreter.mlw"/>
-<theory name="Results" proved="true">
- <goal name="map&#39;vc" expl="VC for map" proved="true">
- <proof prover="3"><result status="valid" time="0.85" steps="1964"/></proof>
+<theory name="Interpreter" proved="true">
+ <goal name="MakeSemantics.MakeInterpreter.Results.map&#39;vc" expl="VC for map" proved="true">
+ <proof prover="3"><result status="valid" time="0.61" steps="1964"/></proof>
+ <transf name="split_vc" proved="true" >
+  <goal name="map&#39;vc.0" expl="postcondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.08" steps="71"/></proof>
+  </goal>
+  <goal name="map&#39;vc.1" expl="postcondition" proved="true">
+  <proof prover="1"><result status="valid" time="0.66" steps="149806"/></proof>
+  </goal>
+ </transf>
  </goal>
- <goal name="union&#39;vc" expl="VC for union" proved="true">
- <proof prover="3"><result status="valid" time="0.13" steps="261"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.Results.union&#39;vc" expl="VC for union" proved="true">
+ <proof prover="3"><result status="valid" time="0.15" steps="261"/></proof>
  </goal>
- <goal name="union_1" proved="true">
- <proof prover="1"><result status="valid" time="0.37" steps="81727"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.Results.union_1" proved="true">
+ <proof prover="1"><result status="valid" time="0.24" steps="81969"/></proof>
  </goal>
- <goal name="union_2" proved="true">
- <proof prover="1"><result status="valid" time="0.36" steps="81893"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.Results.union_2" proved="true">
+ <proof prover="1"><result status="valid" time="0.24" steps="82135"/></proof>
  </goal>
- <goal name="flatten_list&#39;vc" expl="VC for flatten_list" proved="true">
- <proof prover="1" timelimit="0" memlimit="0"><result status="valid" time="20.94" steps="2948814"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.Results.flatten_list&#39;vc" expl="VC for flatten_list" proved="true">
+ <proof prover="3"><result status="valid" time="0.84" steps="1965"/></proof>
  </goal>
- <goal name="flatten&#39;vc" expl="VC for flatten" proved="true">
- <proof prover="3"><result status="valid" time="0.18" steps="103"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.Results.flatten&#39;vc" expl="VC for flatten" proved="true">
+ <proof prover="3"><result status="valid" time="0.09" steps="103"/></proof>
  </goal>
- <goal name="bind_collection&#39;vc" expl="VC for bind_collection" proved="true">
- <proof prover="3"><result status="valid" time="0.21" steps="160"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.Results.bind_collection&#39;vc" expl="VC for bind_collection" proved="true">
+ <proof prover="3"><result status="valid" time="0.22" steps="160"/></proof>
  </goal>
- <goal name="separate_normal&#39;vc" expl="VC for separate_normal" proved="true">
- <proof prover="3"><result status="valid" time="0.06" steps="64"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.Results.separate_normal&#39;vc" expl="VC for separate_normal" proved="true">
+ <transf name="split_vc" proved="true" >
+  <goal name="separate_normal&#39;vc.0" expl="postcondition" proved="true">
+  <transf name="split_vc" proved="true" >
+  </transf>
+  </goal>
+  <goal name="separate_normal&#39;vc.1" expl="postcondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.20" steps="18"/></proof>
+  </goal>
+  <goal name="separate_normal&#39;vc.2" expl="postcondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.09" steps="18"/></proof>
+  </goal>
+  <goal name="separate_normal&#39;vc.3" expl="postcondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.20" steps="18"/></proof>
+  </goal>
+  <goal name="separate_normal&#39;vc.4" expl="postcondition" proved="true">
+  <proof prover="1"><result status="valid" time="0.14" steps="76880"/></proof>
+  </goal>
+  <goal name="separate_normal&#39;vc.5" expl="postcondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.19" steps="20"/></proof>
+  </goal>
+  <goal name="separate_normal&#39;vc.6" expl="postcondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.12" steps="64"/></proof>
+  </goal>
+ </transf>
  </goal>
- <goal name="stas_as_failures&#39;vc" expl="VC for stas_as_failures" proved="true">
- <proof prover="1"><result status="valid" time="0.63" steps="105060"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.Results.stas_as_failures&#39;vc" expl="VC for stas_as_failures" proved="true">
+ <proof prover="1"><result status="valid" time="0.73" steps="105302"/></proof>
  </goal>
- <goal name="mem_inject" proved="true">
+ <goal name="MakeSemantics.MakeInterpreter.Results.mem_inject" proved="true">
  <transf name="introduce_premises" proved="true" >
   <goal name="mem_inject.0" proved="true">
   <transf name="subst" proved="true" arg1="res">
@@ -44,44 +75,44 @@
     <goal name="mem_inject.0.0.0" proved="true">
     <transf name="destruct_term_subst" proved="true" arg1="bhv">
      <goal name="mem_inject.0.0.0.0" proved="true">
-     <proof prover="1" timelimit="5"><result status="valid" time="0.54" steps="92787"/></proof>
+     <proof prover="1" timelimit="5"><result status="valid" time="0.38" steps="93029"/></proof>
      </goal>
      <goal name="mem_inject.0.0.0.1" proved="true">
      <transf name="split_vc" proved="true" >
       <goal name="mem_inject.0.0.0.1.0" proved="true">
-      <proof prover="6"><result status="valid" time="0.09" steps="1047662"/></proof>
+      <proof prover="6"><result status="valid" time="0.11" steps="1048499"/></proof>
       </goal>
       <goal name="mem_inject.0.0.0.1.1" proved="true">
-      <proof prover="6"><result status="valid" time="0.10" steps="1021224"/></proof>
+      <proof prover="6"><result status="valid" time="0.12" steps="1021982"/></proof>
       </goal>
       <goal name="mem_inject.0.0.0.1.2" proved="true">
-      <proof prover="6"><result status="valid" time="0.10" steps="1094642"/></proof>
+      <proof prover="6"><result status="valid" time="0.13" steps="1095532"/></proof>
       </goal>
      </transf>
      </goal>
      <goal name="mem_inject.0.0.0.2" proved="true">
      <transf name="split_vc" proved="true" >
       <goal name="mem_inject.0.0.0.2.0" proved="true">
-      <proof prover="6"><result status="valid" time="0.21" steps="1060972"/></proof>
+      <proof prover="6"><result status="valid" time="0.12" steps="1061840"/></proof>
       </goal>
       <goal name="mem_inject.0.0.0.2.1" proved="true">
-      <proof prover="6"><result status="valid" time="0.19" steps="1033682"/></proof>
+      <proof prover="6"><result status="valid" time="0.14" steps="1034409"/></proof>
       </goal>
       <goal name="mem_inject.0.0.0.2.2" proved="true">
-      <proof prover="6"><result status="valid" time="0.10" steps="1134474"/></proof>
+      <proof prover="6"><result status="valid" time="0.15" steps="1135548"/></proof>
       </goal>
      </transf>
      </goal>
      <goal name="mem_inject.0.0.0.3" proved="true">
      <transf name="split_vc" proved="true" >
       <goal name="mem_inject.0.0.0.3.0" proved="true">
-      <proof prover="1"><result status="valid" time="0.36" steps="91188"/></proof>
+      <proof prover="1"><result status="valid" time="0.39" steps="91430"/></proof>
       </goal>
       <goal name="mem_inject.0.0.0.3.1" proved="true">
-      <proof prover="1"><result status="valid" time="0.31" steps="84288"/></proof>
+      <proof prover="1"><result status="valid" time="0.35" steps="84531"/></proof>
       </goal>
       <goal name="mem_inject.0.0.0.3.2" proved="true">
-      <proof prover="1" timelimit="10" memlimit="4000"><result status="valid" time="4.93" steps="637892"/></proof>
+      <proof prover="1" timelimit="10" memlimit="4000"><result status="valid" time="5.53" steps="632504"/></proof>
       </goal>
      </transf>
      </goal>
@@ -93,1229 +124,1207 @@
   </goal>
  </transf>
  </goal>
- <goal name="inject_union" proved="true">
+ <goal name="MakeSemantics.MakeInterpreter.Results.inject_union" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="inject_union.0" proved="true">
-  <proof prover="1" timelimit="10"><result status="valid" time="1.81" steps="282284"/></proof>
+  <proof prover="1" timelimit="10" memlimit="4000"><result status="valid" time="1.03" steps="284168"/></proof>
   </goal>
   <goal name="inject_union.1" proved="true">
-  <proof prover="1" timelimit="5"><result status="valid" time="0.64" steps="85692"/></proof>
+  <proof prover="1"><result status="valid" time="0.33" steps="85934"/></proof>
   </goal>
  </transf>
  </goal>
- <goal name="inject_return_empty" proved="true">
- <proof prover="3"><result status="valid" time="0.11" steps="22"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.Results.inject_return_empty" proved="true">
+ <proof prover="3"><result status="valid" time="0.13" steps="22"/></proof>
  </goal>
- <goal name="inject_failure_empty" proved="true">
- <proof prover="3"><result status="valid" time="0.16" steps="22"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.Results.inject_failure_empty" proved="true">
+ <proof prover="3"><result status="valid" time="0.19" steps="22"/></proof>
  </goal>
- <goal name="inject_normal_union_exit" proved="true">
- <proof prover="3"><result status="valid" time="0.08" steps="20"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.Results.inject_normal_union_exit" proved="true">
+ <proof prover="1"><result status="valid" time="0.31" steps="84750"/></proof>
  </goal>
- <goal name="inject_under_condition_normal" proved="true">
+ <goal name="MakeSemantics.MakeInterpreter.Results.inject_under_condition_normal" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="inject_under_condition_normal.0" proved="true">
-  <proof prover="1"><result status="valid" time="1.18" steps="121785"/></proof>
+  <proof prover="1"><result status="valid" time="0.69" steps="122110"/></proof>
   </goal>
   <goal name="inject_under_condition_normal.1" proved="true">
-  <proof prover="1"><result status="valid" time="0.58" steps="85966"/></proof>
+  <proof prover="1"><result status="valid" time="0.40" steps="86208"/></proof>
   </goal>
  </transf>
  </goal>
- <goal name="inject_under_condition_exit" proved="true">
+ <goal name="MakeSemantics.MakeInterpreter.Results.inject_under_condition_exit" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="inject_under_condition_exit.0" proved="true">
-  <proof prover="6"><result status="valid" time="0.24" steps="1100956"/></proof>
+  <proof prover="1"><result status="valid" time="0.82" steps="113572"/></proof>
   </goal>
   <goal name="inject_under_condition_exit.1" proved="true">
-  <proof prover="1" timelimit="5"><result status="valid" time="0.41" steps="87127"/></proof>
+  <proof prover="1"><result status="valid" time="0.39" steps="87369"/></proof>
   </goal>
  </transf>
  </goal>
- <goal name="inject_outside_condition_normal" proved="true">
+ <goal name="MakeSemantics.MakeInterpreter.Results.inject_outside_condition_normal" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="inject_outside_condition_normal.0" proved="true">
-  <proof prover="1" timelimit="10"><result status="valid" time="1.06" steps="136610"/></proof>
+  <proof prover="1"><result status="valid" time="0.81" steps="136788"/></proof>
   </goal>
   <goal name="inject_outside_condition_normal.1" proved="true">
-  <proof prover="1" timelimit="10"><result status="valid" time="0.59" steps="90119"/></proof>
+  <proof prover="1"><result status="valid" time="0.35" steps="90361"/></proof>
   </goal>
  </transf>
  </goal>
- <goal name="inject_outside_condition_exit" proved="true">
+ <goal name="MakeSemantics.MakeInterpreter.Results.inject_outside_condition_exit" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="inject_outside_condition_exit.0" proved="true">
-  <proof prover="1"><result status="valid" time="0.98" steps="141466"/></proof>
+  <proof prover="1"><result status="valid" time="0.75" steps="141286"/></proof>
   </goal>
   <goal name="inject_outside_condition_exit.1" proved="true">
-  <proof prover="1"><result status="valid" time="0.60" steps="91069"/></proof>
+  <proof prover="1"><result status="valid" time="0.41" steps="91311"/></proof>
   </goal>
  </transf>
  </goal>
- <goal name="inject_map" proved="true">
- <proof prover="1"><result status="valid" time="0.62" steps="102707"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.Results.inject_map" proved="true">
+ <proof prover="1"><result status="valid" time="0.66" steps="102949"/></proof>
  </goal>
- <goal name="inject_map&#39;" proved="true">
- <proof prover="1"><result status="valid" time="0.58" steps="105101"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.Results.inject_map&#39;" proved="true">
+ <proof prover="1"><result status="valid" time="0.62" steps="105343"/></proof>
  </goal>
- <goal name="union_inject" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="union_inject.0" proved="true">
-  <proof prover="1"><result status="valid" time="0.53" steps="88665"/></proof>
-  </goal>
-  <goal name="union_inject.1" proved="true">
-  <proof prover="1"><result status="valid" time="0.52" steps="86182"/></proof>
-  </goal>
- </transf>
+ <goal name="MakeSemantics.MakeInterpreter.Results.union_inject" proved="true">
+ <proof prover="1"><result status="valid" time="0.44" steps="87372"/></proof>
  </goal>
- <goal name="mem_union_inject" proved="true">
- <proof prover="1"><result status="valid" time="0.48" steps="96262"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.Results.mem_union_inject" proved="true">
+ <proof prover="1"><result status="valid" time="0.66" steps="96504"/></proof>
  </goal>
- <goal name="mem_union" proved="true">
- <proof prover="1"><result status="valid" time="0.42" steps="86525"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.Results.mem_union" proved="true">
+ <proof prover="1"><result status="valid" time="0.46" steps="86767"/></proof>
  </goal>
- <goal name="mem_map" proved="true">
- <proof prover="1"><result status="valid" time="0.57" steps="94364"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.Results.mem_map" proved="true">
+ <proof prover="1"><result status="valid" time="0.64" steps="94606"/></proof>
  </goal>
- <goal name="failure_union" proved="true">
- <proof prover="1"><result status="valid" time="0.54" steps="89902"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.Results.failure_union" proved="true">
+ <proof prover="1"><result status="valid" time="0.64" steps="90144"/></proof>
  </goal>
- <goal name="mem_mk_results" proved="true">
- <proof prover="3"><result status="valid" time="0.20" steps="165"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.Results.mem_mk_results" proved="true">
+ <proof prover="1"><result status="valid" time="0.72" steps="100905"/></proof>
  </goal>
- <goal name="mem_union_results" proved="true">
- <proof prover="1" timelimit="0" memlimit="0"><result status="valid" time="0.58" steps="106241"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.Results.mem_union_results" proved="true">
+ <proof prover="1"><result status="valid" time="0.61" steps="106483"/></proof>
  </goal>
-</theory>
-<theory name="Interpreter" proved="true">
- <goal name="separate_results_list&#39;vc" expl="VC for separate_results_list" proved="true">
- <proof prover="3"><result status="valid" time="0.63" steps="2158"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.separate_results_list&#39;vc" expl="VC for separate_results_list" proved="true">
+ <proof prover="3" timelimit="5"><result status="valid" time="0.38" steps="2158"/></proof>
  </goal>
- <goal name="separate_results&#39;vc" expl="VC for separate_results" proved="true">
- <proof prover="3"><result status="valid" time="0.09" steps="90"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.separate_results&#39;vc" expl="VC for separate_results" proved="true">
+ <proof prover="1"><result status="valid" time="0.64" steps="111325"/></proof>
  </goal>
- <goal name="size_instr&#39;vc" expl="VC for size_instr" proved="true">
- <proof prover="6"><result status="valid" time="0.27" steps="1586133"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.size_instr&#39;vc" expl="VC for size_instr" proved="true">
+ <proof prover="3" timelimit="5"><result status="valid" time="1.84" steps="14274"/></proof>
  </goal>
- <goal name="size_list_expr&#39;vc" expl="VC for size_list_expr" proved="true">
- <proof prover="3"><result status="valid" time="0.23" steps="141"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.size_list_expr&#39;vc" expl="VC for size_list_expr" proved="true">
+ <proof prover="1" timelimit="5"><result status="valid" time="0.33" steps="100433"/></proof>
  </goal>
- <goal name="size_pair&#39;vc" expl="VC for size_pair" proved="true">
- <proof prover="3"><result status="valid" time="0.07" steps="18"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.size_pair&#39;vc" expl="VC for size_pair" proved="true">
+ <proof prover="1"><result status="valid" time="0.16" steps="81690"/></proof>
  </goal>
- <goal name="size_string_expr&#39;vc" expl="VC for size_string_expr" proved="true">
- <proof prover="3"><result status="valid" time="0.22" steps="328"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.size_string_expr&#39;vc" expl="VC for size_string_expr" proved="true">
+ <proof prover="1"><result status="valid" time="0.35" steps="97926"/></proof>
  </goal>
- <goal name="size_string_expr_list_expr&#39;vc" expl="VC for size_string_expr_list_expr" proved="true">
- <proof prover="3"><result status="valid" time="0.21" steps="84"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.size_string_expr_list_expr&#39;vc" expl="VC for size_string_expr_list_expr" proved="true">
+ <proof prover="1"><result status="valid" time="0.44" steps="113688"/></proof>
  </goal>
- <goal name="flip_result&#39;vc" expl="VC for flip_result" proved="true">
+ <goal name="MakeSemantics.MakeInterpreter.flip_result&#39;vc" expl="VC for flip_result" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="flip_result&#39;vc.0" expl="postcondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.22" steps="82640"/></proof>
+  <proof prover="1" timelimit="5"><result status="valid" time="0.29" steps="82628"/></proof>
   </goal>
   <goal name="flip_result&#39;vc.1" expl="postcondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.31" steps="82641"/></proof>
+  <proof prover="3"><result status="valid" time="0.17" steps="18"/></proof>
   </goal>
   <goal name="flip_result&#39;vc.2" expl="postcondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.21" steps="82642"/></proof>
+  <proof prover="3"><result status="valid" time="0.16" steps="18"/></proof>
   </goal>
  </transf>
  </goal>
- <goal name="interp_instr&#39;vc" expl="VC for interp_instr" proved="true">
+ <goal name="MakeSemantics.MakeInterpreter.interp_instr&#39;vc" expl="VC for interp_instr" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="interp_instr&#39;vc.0" expl="variant decrease" proved="true">
-  <proof prover="1"><result status="valid" time="0.54" steps="90763"/></proof>
+  <proof prover="1"><result status="valid" time="0.39" steps="90751"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="1" timelimit="60"><result status="valid" time="0.20" steps="83788"/></proof>
+  <proof prover="1"><result status="valid" time="0.23" steps="83776"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.14" steps="26"/></proof>
+  <proof prover="3"><result status="valid" time="0.13" steps="26"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.3" expl="postcondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.49" steps="114841"/></proof>
+  <proof prover="1"><result status="valid" time="0.49" steps="114829"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.4" expl="variant decrease" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="interp_instr&#39;vc.4.0" expl="variant decrease" proved="true">
-   <proof prover="3"><result status="valid" time="0.12" steps="28"/></proof>
-   </goal>
-   <goal name="interp_instr&#39;vc.4.1" expl="variant decrease" proved="true">
-   <proof prover="3"><result status="valid" time="0.19" steps="81"/></proof>
-   </goal>
-  </transf>
+  <proof prover="1"><result status="valid" time="0.51" steps="90714"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.5" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="interp_instr&#39;vc.5.0" expl="precondition" proved="true">
-   <transf name="inversion_arg_pr" proved="true" arg1="H">
-    <goal name="interp_instr&#39;vc.5.0.0" expl="precondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.30" steps="83788"/></proof>
-    </goal>
-   </transf>
-   </goal>
-   <goal name="interp_instr&#39;vc.5.1" expl="precondition" proved="true">
-   <transf name="inversion_arg_pr" proved="true" arg1="H">
-    <goal name="interp_instr&#39;vc.5.1.0" expl="precondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.27" steps="83788"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
+  <proof prover="3"><result status="valid" time="0.13" steps="26"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.19" steps="56"/></proof>
+  <proof prover="1"><result status="valid" time="0.63" steps="89769"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.7" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.15" steps="92"/></proof>
+  <proof prover="3"><result status="valid" time="0.23" steps="92"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.8" expl="variant decrease" proved="true">
-  <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="3.40" steps="4267"/></proof>
+  <proof prover="1"><result status="valid" time="0.58" steps="90710"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.9" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="interp_instr&#39;vc.9.0" expl="precondition" proved="true">
-   <transf name="inversion_arg_pr" proved="true" arg1="H">
-    <goal name="interp_instr&#39;vc.9.0.0" expl="precondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.17" steps="83788"/></proof>
-    </goal>
-   </transf>
-   </goal>
-   <goal name="interp_instr&#39;vc.9.1" expl="precondition" proved="true">
-   <transf name="inversion_arg_pr" proved="true" arg1="H">
-    <goal name="interp_instr&#39;vc.9.1.0" expl="precondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.29" steps="83788"/></proof>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
+  <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="0.11" steps="26"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.09" steps="26"/></proof>
+  <proof prover="1"><result status="valid" time="0.29" steps="83784"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.11" expl="variant decrease" proved="true">
-  <proof prover="3" timelimit="5"><result status="valid" time="3.45" steps="4836"/></proof>
+  <proof prover="1"><result status="valid" time="0.70" steps="116443"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.28" steps="36"/></proof>
+  <proof prover="1"><result status="valid" time="0.30" steps="84536"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.62" steps="96818"/></proof>
+  <proof prover="3"><result status="valid" time="0.17" steps="68"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.14" expl="variant decrease" proved="true">
-  <proof prover="1"><result status="valid" time="0.57" steps="90703"/></proof>
+  <proof prover="1"><result status="valid" time="0.55" steps="90691"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.14" steps="26"/></proof>
+  <proof prover="1" timelimit="5"><result status="valid" time="0.35" steps="83776"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.24" steps="83792"/></proof>
+  <proof prover="1"><result status="valid" time="0.32" steps="83780"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.17" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.49" steps="211"/></proof>
+  <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="0.55" steps="211"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.18" expl="postcondition" proved="true">
-  <proof prover="3" timelimit="20"><result status="valid" time="0.56" steps="259"/></proof>
+  <proof prover="3" timelimit="5"><result status="valid" time="0.57" steps="259"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.19" expl="variant decrease" proved="true">
-  <proof prover="1"><result status="valid" time="0.49" steps="90703"/></proof>
+  <proof prover="1"><result status="valid" time="0.42" steps="90691"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.16" steps="83788"/></proof>
+  <proof prover="1"><result status="valid" time="0.28" steps="83776"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="3" timelimit="5"><result status="valid" time="0.09" steps="26"/></proof>
+  <proof prover="1"><result status="valid" time="0.22" steps="83780"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.22" expl="variant decrease" proved="true">
-  <proof prover="1"><result status="valid" time="0.56" steps="90805"/></proof>
+  <proof prover="1"><result status="valid" time="0.57" steps="90793"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.23" expl="precondition" proved="true">
-  <proof prover="3" timelimit="5"><result status="valid" time="0.13" steps="26"/></proof>
+  <proof prover="3"><result status="valid" time="0.17" steps="26"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.24" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.09" steps="26"/></proof>
+  <proof prover="3" timelimit="5"><result status="valid" time="0.14" steps="26"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.25" expl="variant decrease" proved="true">
-  <proof prover="1"><result status="valid" time="0.82" steps="125344"/></proof>
+  <proof prover="1"><result status="valid" time="0.77" steps="125332"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.26" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.10" steps="38"/></proof>
+  <proof prover="3" timelimit="30"><result status="valid" time="0.17" steps="38"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.27" expl="precondition" proved="true">
-  <proof prover="1" timelimit="5"><result status="valid" time="0.43" steps="102647"/></proof>
+  <proof prover="3"><result status="valid" time="0.17" steps="85"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.28" expl="variant decrease" proved="true">
-  <proof prover="1"><result status="valid" time="0.77" steps="125547"/></proof>
+  <transf name="split_vc" proved="true" >
+   <goal name="interp_instr&#39;vc.28.0" expl="variant decrease" proved="true">
+   <transf name="inversion_arg_pr" proved="true" arg1="H">
+    <goal name="interp_instr&#39;vc.28.0.0" expl="variant decrease" proved="true">
+    <proof prover="1"><result status="valid" time="0.69" steps="134591"/></proof>
+    </goal>
+   </transf>
+   </goal>
+  </transf>
   </goal>
   <goal name="interp_instr&#39;vc.29" expl="precondition" proved="true">
-  <proof prover="3" timelimit="5"><result status="valid" time="0.11" steps="38"/></proof>
+  <proof prover="3"><result status="valid" time="0.17" steps="38"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.30" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.58" steps="102850"/></proof>
+  <proof prover="1"><result status="valid" time="0.60" steps="102838"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.31" expl="variant decrease" proved="true">
-  <proof prover="1"><result status="valid" time="0.62" steps="90703"/></proof>
+  <proof prover="3"><result status="valid" time="0.16" steps="83"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.32" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.31" steps="83788"/></proof>
+  <proof prover="3"><result status="valid" time="0.09" steps="26"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.33" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.06" steps="54"/></proof>
+  <proof prover="3" timelimit="5"><result status="valid" time="0.09" steps="54"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.34" expl="cd_arg_failure" proved="true">
-  <proof prover="3"><result status="valid" time="0.33" steps="100"/></proof>
+  <proof prover="3"><result status="valid" time="0.34" steps="100"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.35" expl="cd_incomplete" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="interp_instr&#39;vc.35.0" expl="cd_incomplete" proved="true">
-   <proof prover="3"><result status="valid" time="0.10" steps="40"/></proof>
+   <proof prover="3"><result status="valid" time="0.12" steps="40"/></proof>
    </goal>
    <goal name="interp_instr&#39;vc.35.1" expl="VC for interp_instr" proved="true">
-   <proof prover="1"><result status="valid" time="0.44" steps="100180"/></proof>
+   <proof prover="1"><result status="valid" time="0.33" steps="100247"/></proof>
    </goal>
    <goal name="interp_instr&#39;vc.35.2" expl="VC for interp_instr" proved="true">
-   <proof prover="3"><result status="valid" time="0.16" steps="378"/></proof>
+   <proof prover="3"><result status="valid" time="0.26" steps="412"/></proof>
    </goal>
    <goal name="interp_instr&#39;vc.35.3" expl="VC for interp_instr" proved="true">
-   <proof prover="1"><result status="valid" time="0.76" steps="136387"/></proof>
+   <proof prover="1"><result status="valid" time="0.85" steps="134861"/></proof>
    </goal>
   </transf>
   </goal>
   <goal name="interp_instr&#39;vc.36" expl="cd_no_dir" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="interp_instr&#39;vc.36.0" expl="cd_no_dir" proved="true">
-   <proof prover="3"><result status="valid" time="0.16" steps="40"/></proof>
+   <proof prover="3"><result status="valid" time="0.18" steps="40"/></proof>
    </goal>
    <goal name="interp_instr&#39;vc.36.1" expl="VC for interp_instr" proved="true">
-   <proof prover="1"><result status="valid" time="0.50" steps="100411"/></proof>
+   <proof prover="1"><result status="valid" time="0.57" steps="100470"/></proof>
    </goal>
    <goal name="interp_instr&#39;vc.36.2" expl="VC for interp_instr" proved="true">
-   <proof prover="3"><result status="valid" time="0.25" steps="381"/></proof>
+   <proof prover="3"><result status="valid" time="0.40" steps="575"/></proof>
    </goal>
    <goal name="interp_instr&#39;vc.36.3" expl="VC for interp_instr" proved="true">
-   <proof prover="3"><result status="valid" time="0.15" steps="46"/></proof>
+   <proof prover="3"><result status="valid" time="0.11" steps="46"/></proof>
    </goal>
    <goal name="interp_instr&#39;vc.36.4" expl="VC for interp_instr" proved="true">
-   <proof prover="1"><result status="valid" time="0.73" steps="107890"/></proof>
+   <proof prover="1"><result status="valid" time="0.72" steps="108011"/></proof>
    </goal>
   </transf>
   </goal>
   <goal name="interp_instr&#39;vc.37" expl="cd" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="interp_instr&#39;vc.37.0" expl="cd" proved="true">
-   <proof prover="3"><result status="valid" time="0.11" steps="40"/></proof>
+   <proof prover="3"><result status="valid" time="0.15" steps="40"/></proof>
    </goal>
    <goal name="interp_instr&#39;vc.37.1" expl="VC for interp_instr" proved="true">
-   <proof prover="1"><result status="valid" time="0.35" steps="100622"/></proof>
+   <proof prover="1"><result status="valid" time="0.54" steps="100678"/></proof>
    </goal>
    <goal name="interp_instr&#39;vc.37.2" expl="VC for interp_instr" proved="true">
-   <proof prover="3"><result status="valid" time="0.20" steps="484"/></proof>
+   <proof prover="3"><result status="valid" time="0.66" steps="952"/></proof>
    </goal>
    <goal name="interp_instr&#39;vc.37.3" expl="VC for interp_instr" proved="true">
-   <proof prover="3"><result status="valid" time="0.10" steps="46"/></proof>
+   <proof prover="3"><result status="valid" time="0.21" steps="46"/></proof>
    </goal>
    <goal name="interp_instr&#39;vc.37.4" expl="VC for interp_instr" proved="true">
-   <proof prover="1"><result status="valid" time="0.66" steps="108296"/></proof>
+   <proof prover="1"><result status="valid" time="0.74" steps="108416"/></proof>
    </goal>
   </transf>
   </goal>
   <goal name="interp_instr&#39;vc.38" expl="variant decrease" proved="true">
-  <proof prover="1"><result status="valid" time="0.56" steps="90726"/></proof>
+  <transf name="split_vc" proved="true" >
+   <goal name="interp_instr&#39;vc.38.0" expl="variant decrease" proved="true">
+   <proof prover="3"><result status="valid" time="0.13" steps="28"/></proof>
+   </goal>
+   <goal name="interp_instr&#39;vc.38.1" expl="variant decrease" proved="true">
+   <proof prover="1"><result status="valid" time="0.59" steps="90664"/></proof>
+   </goal>
+  </transf>
   </goal>
   <goal name="interp_instr&#39;vc.39" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.42" steps="83792"/></proof>
+  <proof prover="1"><result status="valid" time="0.29" steps="83780"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.40" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.59" steps="89781"/></proof>
+  <proof prover="1" timelimit="10" memlimit="4000"><result status="valid" time="0.64" steps="89769"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.41" expl="args_incomplete" proved="true">
-  <proof prover="3"><result status="valid" time="0.38" steps="98"/></proof>
+  <proof prover="3"><result status="valid" time="0.37" steps="98"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.42" expl="utility_incomplete" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="interp_instr&#39;vc.42.0" expl="utility_incomplete" proved="true">
-   <proof prover="3"><result status="valid" time="0.16" steps="137"/></proof>
-   </goal>
-   <goal name="interp_instr&#39;vc.42.1" expl="VC for interp_instr" proved="true">
-   <proof prover="1"><result status="valid" time="0.36" steps="98271"/></proof>
-   </goal>
-  </transf>
+  <proof prover="3"><result status="valid" time="0.79" steps="209"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.43" expl="utility" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="interp_instr&#39;vc.43.0" expl="utility" proved="true">
-   <proof prover="3"><result status="valid" time="0.23" steps="355"/></proof>
-   </goal>
-   <goal name="interp_instr&#39;vc.43.1" expl="VC for interp_instr" proved="true">
-   <proof prover="1"><result status="valid" time="0.46" steps="104111"/></proof>
-   </goal>
-  </transf>
+  <proof prover="3" timelimit="5"><result status="valid" time="0.56" steps="277"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.44" expl="variant decrease" proved="true">
-  <proof prover="1"><result status="valid" time="0.67" steps="90726"/></proof>
+  <proof prover="3" timelimit="5"><result status="valid" time="0.19" steps="97"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.45" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.27" steps="83792"/></proof>
+  <proof prover="1"><result status="valid" time="0.29" steps="83780"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.46" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.62" steps="89781"/></proof>
+  <transf name="split_vc" proved="true" >
+   <goal name="interp_instr&#39;vc.46.0" expl="precondition" proved="true">
+   <proof prover="3"><result status="valid" time="0.13" steps="56"/></proof>
+   </goal>
+  </transf>
   </goal>
   <goal name="interp_instr&#39;vc.47" expl="callfun1" proved="true">
-  <proof prover="3"><result status="valid" time="0.22" steps="30"/></proof>
+  <proof prover="3" timelimit="20"><result status="valid" time="0.15" steps="30"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.48" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.11" steps="28"/></proof>
+  <proof prover="1"><result status="valid" time="0.27" steps="84755"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.49" expl="callfun2" proved="true">
-  <proof prover="3"><result status="valid" time="0.46" steps="184"/></proof>
+  <proof prover="3"><result status="valid" time="0.45" steps="184"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.50" expl="variant decrease" proved="true">
-  <proof prover="1" timelimit="10" memlimit="4000"><result status="valid" time="0.64" steps="91060"/></proof>
+  <proof prover="1"><result status="valid" time="0.53" steps="91048"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.51" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.22" steps="84810"/></proof>
+  <proof prover="1"><result status="valid" time="0.29" steps="84798"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.52" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.62" steps="91044"/></proof>
+  <transf name="split_vc" proved="true" >
+   <goal name="interp_instr&#39;vc.52.0" expl="precondition" proved="true">
+   <proof prover="3"><result status="valid" time="0.15" steps="76"/></proof>
+   </goal>
+  </transf>
   </goal>
   <goal name="interp_instr&#39;vc.53" expl="callfun3" proved="true">
-  <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="3.99" steps="1628"/></proof>
+  <proof prover="3" timelimit="5"><result status="valid" time="3.58" steps="1628"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.54" expl="callfun4" proved="true">
-  <proof prover="3"><result status="valid" time="0.49" steps="120"/></proof>
+  <proof prover="3" timelimit="20"><result status="valid" time="0.35" steps="120"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.55" expl="callfun5" proved="true">
-  <proof prover="1" timelimit="10" memlimit="4000"><result status="valid" time="1.94" steps="240567"/></proof>
+  <transf name="inline_goal" proved="true" >
+   <goal name="interp_instr&#39;vc.55.0" expl="callfun5" proved="true">
+   <transf name="split_all_full" proved="true" >
+    <goal name="interp_instr&#39;vc.55.0.0" expl="VC for interp_instr" proved="true">
+    <transf name="split_vc" proved="true" >
+     <goal name="interp_instr&#39;vc.55.0.0.0" expl="VC for interp_instr" proved="true">
+     <proof prover="1" timelimit="5" memlimit="2000"><result status="valid" time="1.17" steps="166896"/></proof>
+     </goal>
+    </transf>
+    </goal>
+    <goal name="interp_instr&#39;vc.55.0.1" expl="VC for interp_instr" proved="true">
+    <transf name="split_vc" proved="true" >
+     <goal name="interp_instr&#39;vc.55.0.1.0" expl="VC for interp_instr" proved="true">
+     <proof prover="1" timelimit="5" memlimit="2000"><result status="valid" time="0.85" steps="132981"/></proof>
+     </goal>
+    </transf>
+    </goal>
+    <goal name="interp_instr&#39;vc.55.0.2" expl="VC for interp_instr" proved="true">
+    <transf name="split_vc" proved="true" >
+     <goal name="interp_instr&#39;vc.55.0.2.0" expl="VC for interp_instr" proved="true">
+     <proof prover="1" timelimit="5" memlimit="2000"><result status="valid" time="0.89" steps="134685"/></proof>
+     </goal>
+    </transf>
+    </goal>
+    <goal name="interp_instr&#39;vc.55.0.3" expl="VC for interp_instr" proved="true">
+    <transf name="split_vc" proved="true" >
+     <goal name="interp_instr&#39;vc.55.0.3.0" expl="VC for interp_instr" proved="true">
+     <proof prover="1" timelimit="5" memlimit="2000"><result status="valid" time="0.60" steps="133484"/></proof>
+     </goal>
+    </transf>
+    </goal>
+   </transf>
+   </goal>
+  </transf>
   </goal>
   <goal name="interp_instr&#39;vc.56" expl="postcondition" proved="true">
-  <proof prover="1"><result status="valid" time="1.12" steps="131827"/></proof>
+  <proof prover="3"><result status="valid" time="0.26" steps="77"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.57" expl="postcondition" proved="true">
-  <proof prover="3" timelimit="5"><result status="valid" time="0.33" steps="196"/></proof>
+  <proof prover="3"><result status="valid" time="0.46" steps="196"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.58" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.26" steps="83788"/></proof>
+  <proof prover="1"><result status="valid" time="0.26" steps="83776"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.59" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.16" steps="30"/></proof>
+  <proof prover="3"><result status="valid" time="0.14" steps="30"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.60" expl="variant decrease" proved="true">
-  <proof prover="1"><result status="valid" time="0.59" steps="90745"/></proof>
+  <proof prover="1"><result status="valid" time="0.58" steps="90733"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.61" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.18" steps="26"/></proof>
+  <transf name="split_vc" proved="true" >
+   <goal name="interp_instr&#39;vc.61.0" expl="precondition" proved="true">
+   <proof prover="3"><result status="valid" time="0.12" steps="26"/></proof>
+   </goal>
+   <goal name="interp_instr&#39;vc.61.1" expl="precondition" proved="true">
+   <proof prover="3"><result status="valid" time="0.08" steps="26"/></proof>
+   </goal>
+  </transf>
   </goal>
   <goal name="interp_instr&#39;vc.62" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.13" steps="58"/></proof>
+  <proof prover="3"><result status="valid" time="0.15" steps="58"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.63" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.20" steps="30"/></proof>
+  <proof prover="3"><result status="valid" time="0.24" steps="30"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.64" expl="variant decrease" proved="true">
-  <proof prover="1"><result status="valid" time="0.69" steps="93269"/></proof>
+  <proof prover="1" timelimit="5"><result status="valid" time="0.58" steps="93257"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.65" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.38" steps="84732"/></proof>
+  <proof prover="1" timelimit="60"><result status="valid" time="0.27" steps="84720"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.66" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.60" steps="90792"/></proof>
+  <proof prover="1"><result status="valid" time="0.38" steps="90780"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.67" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="interp_instr&#39;vc.67.0" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.29" steps="82"/></proof>
-   </goal>
-  </transf>
+  <proof prover="3"><result status="valid" time="0.26" steps="82"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.68" expl="postcondition" proved="true">
   <transf name="inline_goal" proved="true" >
    <goal name="interp_instr&#39;vc.68.0" expl="postcondition" proved="true">
-   <transf name="split_all_full" proved="true" >
-    <goal name="interp_instr&#39;vc.68.0.0" expl="VC for interp_instr" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="interp_instr&#39;vc.68.0.0.0" expl="VC for interp_instr" proved="true">
-     <proof prover="1" timelimit="5" memlimit="2000"><result status="valid" time="0.87" steps="164457"/></proof>
-     </goal>
-    </transf>
-    </goal>
-    <goal name="interp_instr&#39;vc.68.0.1" expl="VC for interp_instr" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="interp_instr&#39;vc.68.0.1.0" expl="VC for interp_instr" proved="true">
-     <proof prover="1" timelimit="5" memlimit="2000"><result status="valid" time="0.96" steps="163547"/></proof>
-     </goal>
-    </transf>
-    </goal>
-    <goal name="interp_instr&#39;vc.68.0.2" expl="VC for interp_instr" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="interp_instr&#39;vc.68.0.2.0" expl="VC for interp_instr" proved="true">
-     <proof prover="1" timelimit="5" memlimit="2000"><result status="valid" time="0.83" steps="163226"/></proof>
-     </goal>
-    </transf>
-    </goal>
-    <goal name="interp_instr&#39;vc.68.0.3" expl="VC for interp_instr" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="interp_instr&#39;vc.68.0.3.0" expl="VC for interp_instr" proved="true">
-     <proof prover="1" timelimit="5" memlimit="2000"><result status="valid" time="0.93" steps="164044"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
+   <proof prover="1"><result status="valid" time="0.81" steps="177585"/></proof>
    </goal>
   </transf>
   </goal>
   <goal name="interp_instr&#39;vc.69" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.24" steps="36"/></proof>
+  <proof prover="3"><result status="valid" time="0.16" steps="36"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.70" expl="variant decrease" proved="true">
-  <proof prover="1"><result status="valid" time="0.64" steps="90808"/></proof>
+  <proof prover="1"><result status="valid" time="0.51" steps="90796"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.71" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.30" steps="83792"/></proof>
+  <proof prover="3"><result status="valid" time="0.18" steps="26"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.72" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.10" steps="73"/></proof>
+  <proof prover="3"><result status="valid" time="0.21" steps="73"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.73" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.32" steps="89875"/></proof>
+  <proof prover="1"><result status="valid" time="0.71" steps="89863"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.74" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.90" steps="667"/></proof>
+  <proof prover="3"><result status="valid" time="0.89" steps="667"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.75" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.49" steps="122"/></proof>
+  <proof prover="3"><result status="valid" time="0.58" steps="122"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.76" expl="variant decrease" proved="true">
-  <proof prover="3" timelimit="20"><result status="valid" time="2.76" steps="4267"/></proof>
+  <proof prover="1"><result status="valid" time="0.61" steps="90710"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.77" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.32" steps="83792"/></proof>
+  <proof prover="1" timelimit="10" memlimit="4000"><result status="valid" time="0.24" steps="83780"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.78" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.31" steps="83796"/></proof>
+  <proof prover="3"><result status="valid" time="0.16" steps="26"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.79" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.70" steps="226"/></proof>
+  <proof prover="3"><result status="valid" time="0.40" steps="226"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.80" expl="postcondition" proved="true">
-  <proof prover="1" timelimit="5"><result status="valid" time="0.92" steps="124656"/></proof>
+  <proof prover="1"><result status="valid" time="0.66" steps="124644"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.81" expl="variant decrease" proved="true">
-  <proof prover="3" timelimit="30"><result status="valid" time="3.79" steps="5004"/></proof>
+  <proof prover="1"><result status="valid" time="0.62" steps="105824"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.82" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.20" steps="85462"/></proof>
+  <proof prover="1"><result status="valid" time="0.22" steps="85450"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.83" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.66" steps="94216"/></proof>
+  <proof prover="3"><result status="valid" time="0.14" steps="60"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.84" expl="postcondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.60" steps="124702"/></proof>
+  <proof prover="3" timelimit="5"><result status="valid" time="0.27" steps="97"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.85" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.47" steps="105"/></proof>
+  <proof prover="3"><result status="valid" time="0.66" steps="105"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.86" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.35" steps="163"/></proof>
+  <proof prover="3"><result status="valid" time="0.59" steps="163"/></proof>
   </goal>
   <goal name="interp_instr&#39;vc.87" expl="postcondition" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="interp_instr&#39;vc.87.0" expl="postcondition" proved="true">
    <transf name="inversion_arg_pr" proved="true" arg1="H">
     <goal name="interp_instr&#39;vc.87.0.0" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.38" steps="100141"/></proof>
+    <proof prover="1"><result status="valid" time="0.45" steps="100129"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.1" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.39" steps="100135"/></proof>
+    <proof prover="1"><result status="valid" time="0.42" steps="100123"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.2" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="105074"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="105063"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.3" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.55" steps="105606"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="105594"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.4" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="100759"/></proof>
+    <proof prover="1"><result status="valid" time="0.48" steps="100747"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.5" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="100719"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="100731"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.6" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="105072"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="105030"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.7" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.47" steps="105330"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="105310"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.8" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="105428"/></proof>
+    <proof prover="1"><result status="valid" time="0.49" steps="105408"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.9" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="101400"/></proof>
+    <proof prover="1"><result status="valid" time="0.50" steps="101412"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.10" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="100759"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="100771"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.11" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="106541"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="106529"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.12" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="103414"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="103402"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.13" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.50" steps="104637"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="104625"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.14" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="103386"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="103374"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.15" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.57" steps="103822"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="103810"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.16" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.52" steps="103398"/></proof>
+    <proof prover="1"><result status="valid" time="0.68" steps="103386"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.17" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="106960"/></proof>
+    <proof prover="1"><result status="valid" time="0.68" steps="106948"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.18" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="106958"/></proof>
+    <proof prover="1"><result status="valid" time="0.69" steps="106946"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.19" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="103839"/></proof>
+    <proof prover="1"><result status="valid" time="0.50" steps="103827"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.20" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="103797"/></proof>
+    <proof prover="1"><result status="valid" time="0.68" steps="103785"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.21" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.50" steps="110880"/></proof>
+    <proof prover="1"><result status="valid" time="0.73" steps="110869"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.22" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="106237"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="106226"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.23" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.55" steps="100581"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="100585"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.24" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.55" steps="101417"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="101335"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.25" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="101893"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="101872"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.26" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="100581"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="100585"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.27" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="103291"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="103279"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.28" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.40" steps="102588"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="102576"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.29" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="106865"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="106853"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.30" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="100607"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="100611"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.31" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.53" steps="102225"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="102213"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.32" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="101212"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="101200"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.0.33" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="101292"/></proof>
+    <proof prover="1"><result status="valid" time="0.53" steps="101280"/></proof>
     </goal>
    </transf>
    </goal>
    <goal name="interp_instr&#39;vc.87.1" expl="postcondition" proved="true">
    <transf name="inversion_arg_pr" proved="true" arg1="H">
     <goal name="interp_instr&#39;vc.87.1.0" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.53" steps="97168"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="97156"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.1" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="97168"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="97156"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.2" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.52" steps="101815"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="101804"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.3" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="102347"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="102335"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.4" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.52" steps="97792"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="97780"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.5" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.49" steps="97788"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="97800"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.6" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="102118"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="102076"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.7" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.53" steps="102076"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="102056"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.8" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="102175"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="102155"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.9" expl="postcondition" proved="true">
-    <proof prover="1" timelimit="5"><result status="valid" time="3.11" steps="399019"/></proof>
+    <proof prover="1" timelimit="5"><result status="valid" time="4.76" steps="399013"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.10" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="97836"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="97848"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.11" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="103078"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="103066"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.12" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="100136"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="100124"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.13" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="100879"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="100867"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.14" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="100244"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="100232"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.15" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.50" steps="100751"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="100739"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.16" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="100472"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="100460"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.17" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="103553"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="103541"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.18" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.52" steps="103551"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="103539"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.19" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.57" steps="100615"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="100603"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.20" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="100385"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="100373"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.21" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="106985"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="106974"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.22" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.51" steps="103103"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="103092"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.23" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="97605"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="97609"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.24" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.45" steps="98451"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="98363"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.25" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.47" steps="98602"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="98581"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.26" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.53" steps="97605"/></proof>
+    <proof prover="1"><result status="valid" time="0.45" steps="97609"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.27" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="100002"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="99990"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.28" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.55" steps="99624"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="99612"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.29" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.55" steps="103710"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="103698"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.30" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.46" steps="97631"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="97635"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.31" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.47" steps="98775"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="98763"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.32" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="98052"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="98040"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.1.33" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="98014"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="98002"/></proof>
     </goal>
    </transf>
    </goal>
    <goal name="interp_instr&#39;vc.87.2" expl="postcondition" proved="true">
    <transf name="inversion_arg_pr" proved="true" arg1="H">
     <goal name="interp_instr&#39;vc.87.2.0" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="99570"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="99558"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.1" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.51" steps="99570"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="99558"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.2" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.48" steps="104504"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="104493"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.3" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.57" steps="105044"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="105032"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.4" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.51" steps="107967"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="107955"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.5" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.55" steps="99907"/></proof>
+    <proof prover="1"><result status="valid" time="0.42" steps="99919"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.6" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.51" steps="104396"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="104225"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.7" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="104754"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="104734"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.8" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.47" steps="104843"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="104823"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.9" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="100837"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="100849"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.10" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.50" steps="99947"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="99959"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.11" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="105534"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="105522"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.12" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="102601"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="102589"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.13" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="103901"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="103889"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.14" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.50" steps="102697"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="102685"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.15" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="103142"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="103130"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.16" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="102624"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="102612"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.17" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.72" steps="106006"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="105994"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.18" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="106004"/></proof>
+    <proof prover="1"><result status="valid" time="0.42" steps="105992"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.19" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="103070"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="103058"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.20" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="102852"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="102840"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.21" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="109970"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="109959"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.22" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="105241"/></proof>
+    <proof prover="1"><result status="valid" time="0.53" steps="105230"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.23" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="99769"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="99773"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.24" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.55" steps="100759"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="100527"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.25" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="101331"/></proof>
+    <proof prover="1"><result status="valid" time="0.51" steps="101310"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.26" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.45" steps="99769"/></proof>
+    <proof prover="1"><result status="valid" time="0.50" steps="99773"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.27" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="102709"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="102697"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.28" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="101799"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="101787"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.29" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="106023"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="106011"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.30" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="99795"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="99799"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.31" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.51" steps="101503"/></proof>
+    <proof prover="1"><result status="valid" time="0.48" steps="101491"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.32" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="100476"/></proof>
+    <proof prover="1"><result status="valid" time="0.46" steps="100464"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.2.33" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="100479"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="100467"/></proof>
     </goal>
    </transf>
    </goal>
    <goal name="interp_instr&#39;vc.87.3" expl="postcondition" proved="true">
    <transf name="inversion_arg_pr" proved="true" arg1="H">
     <goal name="interp_instr&#39;vc.87.3.0" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.47" steps="99643"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="99631"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.1" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.55" steps="99643"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="99631"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.2" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.57" steps="104652"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="104641"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.3" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.50" steps="105184"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="105172"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.4" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.55" steps="100267"/></proof>
+    <proof prover="1"><result status="valid" time="0.51" steps="100255"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.5" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="100201"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="100213"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.6" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.57" steps="104562"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="104520"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.7" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="104874"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="104854"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.8" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="104972"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="104952"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.9" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.48" steps="100948"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="100960"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.10" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.52" steps="100241"/></proof>
+    <proof prover="1"><result status="valid" time="0.46" steps="100253"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.11" expl="postcondition" proved="true">
-    <proof prover="3" timelimit="5"><result status="valid" time="0.85" steps="263"/></proof>
+    <transf name="split_vc" proved="true" >
+     <goal name="interp_instr&#39;vc.87.3.11.0" expl="postcondition" proved="true">
+     <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="1.47" steps="263"/></proof>
+     </goal>
+    </transf>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.12" expl="postcondition" proved="true">
-    <proof prover="3" timelimit="5"><result status="valid" time="1.23" steps="712"/></proof>
+    <transf name="split_vc" proved="true" >
+     <goal name="interp_instr&#39;vc.87.3.12.0" expl="postcondition" proved="true">
+     <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="2.95" steps="712"/></proof>
+     </goal>
+    </transf>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.13" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="104052"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="104040"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.14" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="102749"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="102737"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.15" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.43" steps="103256"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="103244"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.16" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.52" steps="102939"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="102927"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.17" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="106420"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="106408"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.18" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.57" steps="106418"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="106406"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.19" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="103428"/></proof>
+    <proof prover="1"><result status="valid" time="0.44" steps="103416"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.20" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.51" steps="103252"/></proof>
+    <proof prover="1"><result status="valid" time="0.51" steps="103240"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.21" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.71" steps="110188"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="110177"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.22" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="105608"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="105597"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.23" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="100080"/></proof>
+    <proof prover="1"><result status="valid" time="0.48" steps="100084"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.24" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="100926"/></proof>
+    <proof prover="1"><result status="valid" time="0.45" steps="100838"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.25" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.51" steps="101439"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="101418"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.26" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.52" steps="100080"/></proof>
+    <proof prover="1"><result status="valid" time="0.38" steps="100084"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.27" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.48" steps="102839"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="102827"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.28" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="102099"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="102087"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.29" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="106215"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="106203"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.30" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.57" steps="100106"/></proof>
+    <proof prover="1"><result status="valid" time="0.51" steps="100110"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.31" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="101642"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="101630"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.32" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="100557"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="100545"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.3.33" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="100835"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="100823"/></proof>
     </goal>
    </transf>
    </goal>
    <goal name="interp_instr&#39;vc.87.4" expl="postcondition" proved="true">
    <transf name="inversion_arg_pr" proved="true" arg1="H">
     <goal name="interp_instr&#39;vc.87.4.0" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.57" steps="99793"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="99781"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.1" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="99793"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="99781"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.2" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="104742"/></proof>
+    <proof prover="1"><result status="valid" time="0.47" steps="104731"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.3" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="105274"/></proof>
+    <proof prover="1"><result status="valid" time="0.51" steps="105262"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.4" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="100417"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="100405"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.5" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="100351"/></proof>
+    <proof prover="1"><result status="valid" time="0.51" steps="100363"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.6" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="104708"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="104668"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.7" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="104964"/></proof>
+    <proof prover="1"><result status="valid" time="0.42" steps="104944"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.8" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="105062"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="105042"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.9" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="101038"/></proof>
+    <proof prover="1"><result status="valid" time="0.50" steps="101050"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.10" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="100391"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="100403"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.11" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="106027"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="106015"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.12" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="103063"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="103051"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.13" expl="postcondition" proved="true">
     <transf name="split_vc" proved="true" >
      <goal name="interp_instr&#39;vc.87.4.13.0" expl="postcondition" proved="true">
-     <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="2.09" steps="384"/></proof>
+     <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="4.99" steps="384"/></proof>
      </goal>
     </transf>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.14" expl="postcondition" proved="true">
     <transf name="split_vc" proved="true" >
      <goal name="interp_instr&#39;vc.87.4.14.0" expl="postcondition" proved="true">
-     <proof prover="3"><result status="valid" time="0.19" steps="42"/></proof>
+     <proof prover="3"><result status="valid" time="0.47" steps="42"/></proof>
      </goal>
     </transf>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.15" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="103406"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="103394"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.16" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="103097"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="103085"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.17" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.69" steps="106510"/></proof>
+    <proof prover="1"><result status="valid" time="0.69" steps="106498"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.18" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.69" steps="106508"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="106496"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.19" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="103542"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="103530"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.20" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="103342"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="103330"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.21" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="110274"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="110263"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.22" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.72" steps="105758"/></proof>
+    <proof prover="1"><result status="valid" time="0.50" steps="105747"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.23" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="100230"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="100234"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.24" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="101076"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="100988"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.25" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="101529"/></proof>
+    <proof prover="1"><result status="valid" time="0.43" steps="101508"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.26" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="100230"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="100234"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.27" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="102929"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="102917"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.28" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="102249"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="102237"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.29" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="106365"/></proof>
+    <proof prover="1"><result status="valid" time="0.50" steps="106353"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.30" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="100256"/></proof>
+    <proof prover="1"><result status="valid" time="0.47" steps="100260"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.31" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="101732"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="101720"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.32" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="100707"/></proof>
+    <proof prover="1"><result status="valid" time="0.49" steps="100695"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.4.33" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.52" steps="100941"/></proof>
+    <proof prover="1"><result status="valid" time="0.45" steps="100929"/></proof>
     </goal>
    </transf>
    </goal>
    <goal name="interp_instr&#39;vc.87.5" expl="postcondition" proved="true">
    <transf name="inversion_arg_pr" proved="true" arg1="H">
     <goal name="interp_instr&#39;vc.87.5.0" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="98793"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="98781"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.1" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.52" steps="98793"/></proof>
+    <proof prover="1"><result status="valid" time="0.47" steps="98781"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.2" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="103742"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="103731"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.3" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="104274"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="104262"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.4" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="99417"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="99405"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.5" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="99351"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="99363"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.6" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.53" steps="103712"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="103670"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.7" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="103964"/></proof>
+    <proof prover="1"><result status="valid" time="0.53" steps="103944"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.8" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="104062"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="104042"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.9" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="100405"/></proof>
+    <proof prover="1"><result status="valid" time="0.51" steps="100415"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.10" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="99391"/></proof>
+    <proof prover="1"><result status="valid" time="0.49" steps="99403"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.11" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="105035"/></proof>
+    <proof prover="1"><result status="valid" time="0.48" steps="105023"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.12" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="102063"/></proof>
+    <proof prover="1"><result status="valid" time="0.47" steps="102051"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.13" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="103138"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="103126"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.14" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="101899"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="101887"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.15" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.49" steps="102406"/></proof>
+    <proof prover="1"><result status="valid" time="0.53" steps="102394"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.16" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="102097"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="102085"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.17" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="105510"/></proof>
+    <proof prover="1"><result status="valid" time="0.50" steps="105498"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.18" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="105508"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="105496"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.19" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="102542"/></proof>
+    <proof prover="1"><result status="valid" time="0.53" steps="102530"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.20" expl="postcondition" proved="true">
-    <proof prover="1" timelimit="20"><result status="valid" time="0.81" steps="175977"/></proof>
+    <proof prover="1" timelimit="5"><result status="valid" time="0.84" steps="176006"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.21" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.71" steps="109274"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="109263"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.22" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="104758"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="104747"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.23" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="99230"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="99234"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.24" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="100076"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="99988"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.25" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="100529"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="100508"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.26" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.55" steps="99230"/></proof>
+    <proof prover="1"><result status="valid" time="0.49" steps="99234"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.27" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="101929"/></proof>
+    <proof prover="1"><result status="valid" time="0.51" steps="101917"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.28" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="101249"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="101237"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.29" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.57" steps="105365"/></proof>
+    <proof prover="1"><result status="valid" time="0.47" steps="105353"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.30" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="99256"/></proof>
+    <proof prover="1"><result status="valid" time="0.51" steps="99260"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.31" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="100732"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="100720"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.32" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="99707"/></proof>
+    <proof prover="1"><result status="valid" time="0.51" steps="99695"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.5.33" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.57" steps="99941"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="99929"/></proof>
     </goal>
    </transf>
    </goal>
    <goal name="interp_instr&#39;vc.87.6" expl="postcondition" proved="true">
    <transf name="inversion_arg_pr" proved="true" arg1="H">
     <goal name="interp_instr&#39;vc.87.6.0" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="101433"/></proof>
+    <proof prover="1"><result status="valid" time="0.50" steps="101421"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.1" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="101433"/></proof>
+    <proof prover="1"><result status="valid" time="0.47" steps="101421"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.2" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="106382"/></proof>
+    <proof prover="1"><result status="valid" time="0.50" steps="106371"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.3" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="106914"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="106902"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.4" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="102057"/></proof>
+    <proof prover="1"><result status="valid" time="0.50" steps="102045"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.5" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="102019"/></proof>
+    <proof prover="1"><result status="valid" time="0.50" steps="102031"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.6" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="106382"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="106340"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.7" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="106638"/></proof>
+    <proof prover="1"><result status="valid" time="0.49" steps="106618"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.8" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="106736"/></proof>
+    <proof prover="1"><result status="valid" time="0.48" steps="106716"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.9" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="102708"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="102720"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.10" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="102059"/></proof>
+    <proof prover="1"><result status="valid" time="0.49" steps="102071"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.11" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="107701"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="107689"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.12" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.48" steps="104712"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="104700"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.13" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="105825"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="105813"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.14" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="104584"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="104572"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.15" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="105063"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="105051"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.16" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="104737"/></proof>
+    <proof prover="1"><result status="valid" time="0.49" steps="104725"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.17" expl="postcondition" proved="true">
     <transf name="split_vc" proved="true" >
@@ -1324,7 +1333,7 @@
       <goal name="interp_instr&#39;vc.87.6.17.0.0" expl="postcondition" proved="true">
       <transf name="inversion_arg_pr" proved="true" arg1="H">
        <goal name="interp_instr&#39;vc.87.6.17.0.0.0" expl="postcondition" proved="true">
-       <proof prover="3" timelimit="20"><result status="valid" time="10.65" steps="2599"/></proof>
+       <proof prover="3" timelimit="20"><result status="valid" time="10.71" steps="2599"/></proof>
        </goal>
       </transf>
       </goal>
@@ -1335,1034 +1344,1041 @@
     <goal name="interp_instr&#39;vc.87.6.18" expl="postcondition" proved="true">
     <transf name="split_vc" proved="true" >
      <goal name="interp_instr&#39;vc.87.6.18.0" expl="postcondition" proved="true">
-     <proof prover="3" timelimit="10"><result status="valid" time="9.99" steps="2821"/></proof>
+     <proof prover="3" timelimit="20"><result status="valid" time="10.35" steps="2821"/></proof>
      </goal>
     </transf>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.19" expl="postcondition" proved="true">
     <transf name="split_vc" proved="true" >
      <goal name="interp_instr&#39;vc.87.6.19.0" expl="postcondition" proved="true">
-     <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="5.79" steps="1608"/></proof>
+     <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="5.63" steps="1608"/></proof>
      </goal>
     </transf>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.20" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.69" steps="105010"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="104998"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.21" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.73" steps="111948"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="111937"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.22" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="107415"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="107404"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.23" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="101881"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="101885"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.24" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="102727"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="102639"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.25" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.48" steps="103201"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="103180"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.26" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="101881"/></proof>
+    <proof prover="1"><result status="valid" time="0.49" steps="101885"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.27" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.69" steps="104599"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="104587"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.28" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="103898"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="103886"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.29" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.47" steps="108031"/></proof>
+    <proof prover="1"><result status="valid" time="0.50" steps="108019"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.30" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="101907"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="101911"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.31" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="103421"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="103409"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.32" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="102394"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="102382"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.6.33" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="102590"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="102578"/></proof>
     </goal>
    </transf>
    </goal>
    <goal name="interp_instr&#39;vc.87.7" expl="postcondition" proved="true">
    <transf name="inversion_arg_pr" proved="true" arg1="H">
     <goal name="interp_instr&#39;vc.87.7.0" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="99699"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="99850"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.1" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="99699"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="99850"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.2" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="104334"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="104486"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.3" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="104866"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="105017"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.4" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="100323"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="100474"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.5" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="100263"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="100450"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.6" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.48" steps="104469"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="104575"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.7" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.28" steps="56"/></proof>
+    <proof prover="3"><result status="valid" time="0.34" steps="56"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.8" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.25" steps="152"/></proof>
+    <proof prover="3"><result status="valid" time="0.36" steps="160"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.9" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="100577"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="100764"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.10" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="100295"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="100482"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.11" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="105589"/></proof>
+    <proof prover="1"><result status="valid" time="0.45" steps="105740"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.12" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="102655"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="102806"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.13" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="103378"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="103529"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.14" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.57" steps="102775"/></proof>
+    <proof prover="1"><result status="valid" time="0.53" steps="102926"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.15" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.53" steps="103282"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="103433"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.16" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="103003"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="103154"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.17" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.69" steps="106072"/></proof>
+    <proof prover="1"><result status="valid" time="0.69" steps="106223"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.18" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="106070"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="106221"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.19" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="103134"/></proof>
+    <proof prover="1"><result status="valid" time="0.69" steps="103285"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.20" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="102904"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="103055"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.21" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="109493"/></proof>
+    <proof prover="1"><result status="valid" time="0.74" steps="109645"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.22" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="105635"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="105787"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.23" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="100137"/></proof>
+    <proof prover="1"><result status="valid" time="0.42" steps="100304"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.24" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.45" steps="100898"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="100953"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.25" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="101036"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="101158"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.26" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="100137"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="100304"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.27" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="102521"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="102672"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.28" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="102155"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="102306"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.29" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.71" steps="106241"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="106392"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.30" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="100163"/></proof>
+    <proof prover="1"><result status="valid" time="0.47" steps="100330"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.31" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="101294"/></proof>
+    <proof prover="1"><result status="valid" time="0.68" steps="101445"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.32" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="100583"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="100734"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.7.33" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.57" steps="100533"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="100684"/></proof>
     </goal>
    </transf>
    </goal>
    <goal name="interp_instr&#39;vc.87.8" expl="postcondition" proved="true">
    <transf name="inversion_arg_pr" proved="true" arg1="H">
     <goal name="interp_instr&#39;vc.87.8.0" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="97279"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="97266"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.1" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="97279"/></proof>
+    <proof prover="1"><result status="valid" time="0.44" steps="97266"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.2" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="101847"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="101835"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.3" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="102379"/></proof>
+    <proof prover="1"><result status="valid" time="0.46" steps="102366"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.4" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.57" steps="97903"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="97890"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.5" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.55" steps="97825"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="97836"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.6" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.57" steps="102121"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="102074"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.7" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="102020"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="101991"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.8" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="102118"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="102089"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.9" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="98143"/></proof>
+    <proof prover="1"><result status="valid" time="0.49" steps="98154"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.10" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.50" steps="97865"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="97876"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.11" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="103102"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="103089"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.12" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="100168"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="100155"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.13" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="100824"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="100811"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.14" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="100355"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="100342"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.15" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="100862"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="100849"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.16" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="100583"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="100570"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.17" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="103585"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="103572"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.18" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="103583"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="103570"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.19" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="100647"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="100634"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.20" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="100417"/></proof>
+    <proof prover="1"><result status="valid" time="0.47" steps="100404"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.21" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.72" steps="106938"/></proof>
+    <proof prover="1"><result status="valid" time="0.71" steps="106926"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.22" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="103214"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="103202"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.23" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.48" steps="97740"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="97751"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.24" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="98533"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="98749"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.25" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="98636"/></proof>
+    <proof prover="1"><result status="valid" time="0.75" steps="122495"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.26" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="97734"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="97745"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.27" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="100021"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="100008"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.28" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.51" steps="99722"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="99709"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.29" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.57" steps="103808"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="103795"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.30" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="97760"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="97771"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.31" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="98794"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="98781"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.32" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="98163"/></proof>
+    <proof prover="1"><result status="valid" time="0.53" steps="98150"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.8.33" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="98046"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="98033"/></proof>
     </goal>
    </transf>
    </goal>
    <goal name="interp_instr&#39;vc.87.9" expl="postcondition" proved="true">
    <transf name="inversion_arg_pr" proved="true" arg1="H">
     <goal name="interp_instr&#39;vc.87.9.0" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="100610"/></proof>
+    <proof prover="1"><result status="valid" time="0.51" steps="100598"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.1" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="100610"/></proof>
+    <proof prover="1"><result status="valid" time="0.69" steps="100598"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.2" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="105040"/></proof>
+    <proof prover="1"><result status="valid" time="0.78" steps="105029"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.3" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="105705"/></proof>
+    <proof prover="1"><result status="valid" time="0.74" steps="105693"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.4" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="101172"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="101160"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.5" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="101151"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="101163"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.6" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="105522"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="105483"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.7" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.69" steps="105424"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="105405"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.8" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.55" steps="105522"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="105503"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.9" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="101482"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="101494"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.10" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="101191"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="101203"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.11" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="106429"/></proof>
+    <proof prover="1"><result status="valid" time="0.70" steps="106417"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.12" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="103510"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="103498"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.13" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="104166"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="104154"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.14" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="103678"/></proof>
+    <proof prover="1"><result status="valid" time="0.47" steps="103666"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.15" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="104183"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="104171"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.16" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.49" steps="103889"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="103877"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.17" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="106904"/></proof>
+    <proof prover="1"><result status="valid" time="0.72" steps="106892"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.18" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="106902"/></proof>
+    <proof prover="1"><result status="valid" time="0.69" steps="106890"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.19" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="103981"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="103969"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.20" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="103740"/></proof>
+    <proof prover="1"><result status="valid" time="0.47" steps="103728"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.21" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.72" steps="110290"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="110279"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.22" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.70" steps="106542"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="106531"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.23" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.57" steps="100976"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="100980"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.24" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="101739"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="101654"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.25" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="101834"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="101814"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.26" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.52" steps="101390"/></proof>
+    <proof prover="1"><result status="valid" time="0.72" steps="101394"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.27" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.34" steps="120"/></proof>
+    <proof prover="3"><result status="valid" time="0.37" steps="120"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.28" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.44" steps="277"/></proof>
+    <proof prover="3"><result status="valid" time="0.60" steps="277"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.29" expl="postcondition" proved="true">
     <transf name="split_vc" proved="true" >
      <goal name="interp_instr&#39;vc.87.9.29.0" expl="postcondition" proved="true">
      <transf name="split_vc" proved="true" >
       <goal name="interp_instr&#39;vc.87.9.29.0.0" expl="postcondition" proved="true">
-      <proof prover="3"><result status="valid" time="0.19" steps="60"/></proof>
+      <proof prover="3"><result status="valid" time="0.17" steps="60"/></proof>
       </goal>
       <goal name="interp_instr&#39;vc.87.9.29.0.1" expl="postcondition" proved="true">
-      <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="9.01" steps="1914"/></proof>
+      <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="5.18" steps="1914"/></proof>
       </goal>
      </transf>
      </goal>
      <goal name="interp_instr&#39;vc.87.9.29.1" expl="postcondition" proved="true">
-     <proof prover="3"><result status="valid" time="0.43" steps="60"/></proof>
+     <proof prover="3"><result status="valid" time="0.32" steps="60"/></proof>
      </goal>
     </transf>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.30" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.50" steps="101002"/></proof>
+    <proof prover="1"><result status="valid" time="0.68" steps="101006"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.31" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.70" steps="102000"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="101988"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.32" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="101490"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="101478"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.9.33" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="101394"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="101382"/></proof>
     </goal>
    </transf>
    </goal>
    <goal name="interp_instr&#39;vc.87.10" expl="postcondition" proved="true">
    <transf name="inversion_arg_pr" proved="true" arg1="H">
     <goal name="interp_instr&#39;vc.87.10.0" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="99583"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="99571"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.1" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="99583"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="99571"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.2" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.88" steps="749"/></proof>
+    <transf name="split_vc" proved="true" >
+     <goal name="interp_instr&#39;vc.87.10.2.0" expl="postcondition" proved="true">
+     <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="2.02" steps="1116"/></proof>
+     </goal>
+     <goal name="interp_instr&#39;vc.87.10.2.1" expl="postcondition" proved="true">
+     <proof prover="3"><result status="valid" time="0.29" steps="66"/></proof>
+     </goal>
+    </transf>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.3" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.71" steps="105225"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="105213"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.4" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="100195"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="100183"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.5" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="100038"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="100050"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.6" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="104652"/></proof>
+    <proof prover="1"><result status="valid" time="0.43" steps="104496"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.7" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="104917"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="104897"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.8" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="105015"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="104995"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.9" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="100846"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="100858"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.10" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="100078"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="100090"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.11" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="105664"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="105652"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.12" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="102731"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="102719"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.13" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="103908"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="103896"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.14" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="102695"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="102683"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.15" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="103151"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="103139"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.16" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="102755"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="102743"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.17" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="106136"/></proof>
+    <proof prover="1"><result status="valid" time="0.69" steps="106124"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.18" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="106134"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="106122"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.19" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="103200"/></proof>
+    <proof prover="1"><result status="valid" time="0.71" steps="103188"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.20" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.53" steps="102982"/></proof>
+    <proof prover="1"><result status="valid" time="0.70" steps="102970"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.21" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="110033"/></proof>
+    <proof prover="1"><result status="valid" time="0.77" steps="110022"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.22" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="105428"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="105417"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.23" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="99900"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="99904"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.24" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="100860"/></proof>
+    <proof prover="1"><result status="valid" time="0.45" steps="100658"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.25" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="101339"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="101318"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.26" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="99900"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="99904"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.27" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="102739"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="102727"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.28" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.51" steps="101922"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="101910"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.29" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="106013"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="106001"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.30" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="99926"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="99930"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.31" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="101511"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="101499"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.32" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.46" steps="100471"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="100459"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.10.33" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="100595"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="100583"/></proof>
     </goal>
    </transf>
    </goal>
    <goal name="interp_instr&#39;vc.87.11" expl="postcondition" proved="true">
    <transf name="inversion_arg_pr" proved="true" arg1="H">
     <goal name="interp_instr&#39;vc.87.11.0" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="96925"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="96913"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.1" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="96925"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="96913"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.2" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.70" steps="101493"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="101482"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.3" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="102025"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="102013"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.4" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.55" steps="97549"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="97537"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.5" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.47" steps="97477"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="97489"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.6" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="101838"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="101796"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.7" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="101715"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="101695"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.8" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="101813"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="101793"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.9" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="97789"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="97801"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.10" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="97517"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="97529"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.11" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="102756"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="102744"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.12" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="99814"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="99802"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.13" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="100478"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="100466"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.14" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="100001"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="99989"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.15" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="100508"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="100496"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.16" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="100229"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="100217"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.17" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="103231"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="103219"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.18" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="103229"/></proof>
+    <proof prover="1"><result status="valid" time="0.68" steps="103217"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.19" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="100293"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="100281"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.20" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="100063"/></proof>
+    <proof prover="1"><result status="valid" time="0.51" steps="100051"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.21" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.69" steps="106584"/></proof>
+    <proof prover="1"><result status="valid" time="0.71" steps="106573"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.22" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="102860"/></proof>
+    <proof prover="1"><result status="valid" time="0.70" steps="102849"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.23" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="97374"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="97378"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.24" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="98182"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="98094"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.25" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="98256"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="98235"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.26" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="97374"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="97378"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.27" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="99656"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="99644"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.28" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="99357"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="99345"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.29" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.70" steps="103443"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="103431"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.30" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.53" steps="97404"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="97408"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.31" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="99109"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="99097"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.32" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="97809"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="97797"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.11.33" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="97692"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="97680"/></proof>
     </goal>
    </transf>
    </goal>
    <goal name="interp_instr&#39;vc.87.12" expl="postcondition" proved="true">
    <transf name="inversion_arg_pr" proved="true" arg1="H">
     <goal name="interp_instr&#39;vc.87.12.0" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="99450"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="99438"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.1" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="99450"/></proof>
+    <proof prover="1"><result status="valid" time="0.49" steps="99438"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.2" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="104265"/></proof>
+    <proof prover="1"><result status="valid" time="0.68" steps="104253"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.3" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.71" steps="104610"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="104598"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.4" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.70" steps="100070"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="100058"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.5" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="99908"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="99920"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.6" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="104174"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="104133"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.7" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="104524"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="104504"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.8" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="104611"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="104591"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.9" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="100666"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="100678"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.10" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="99948"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="99960"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.11" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="105538"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="105526"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.12" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="102700"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="102688"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.13" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="103667"/></proof>
+    <proof prover="1"><result status="valid" time="0.68" steps="103655"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.14" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.70" steps="102478"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="102466"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.15" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="102901"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="102889"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.16" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="102687"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="102675"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.17" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.70" steps="105975"/></proof>
+    <proof prover="1"><result status="valid" time="0.71" steps="105963"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.18" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="105973"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="105961"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.19" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.71" steps="103107"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="103095"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.20" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="102896"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="102884"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.21" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.75" steps="109476"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="109464"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.22" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.71" steps="105160"/></proof>
+    <proof prover="1"><result status="valid" time="0.72" steps="105148"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.23" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="99865"/></proof>
+    <proof prover="1"><result status="valid" time="0.52" steps="99869"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.24" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="100684"/></proof>
+    <proof prover="1"><result status="valid" time="0.58" steps="100599"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.25" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="101157"/></proof>
+    <proof prover="1"><result status="valid" time="0.73" steps="101137"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.26" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="99865"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="99869"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.27" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="102529"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="102517"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.28" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="101877"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="101865"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.29" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="105762"/></proof>
+    <proof prover="1"><result status="valid" time="0.68" steps="105750"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.30" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.47" steps="99891"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="99895"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.31" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="101222"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="101210"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.32" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="100707"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="100695"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.12.33" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="100959"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="100947"/></proof>
     </goal>
    </transf>
    </goal>
    <goal name="interp_instr&#39;vc.87.13" expl="postcondition" proved="true">
    <transf name="inversion_arg_pr" proved="true" arg1="H">
     <goal name="interp_instr&#39;vc.87.13.0" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="101907"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="101895"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.1" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="101907"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="101895"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.2" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="106847"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="106836"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.3" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="107379"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="107367"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.4" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="102531"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="102519"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.5" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="102493"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="102505"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.6" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="106852"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="106812"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.7" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="107103"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="107083"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.8" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="107201"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="107181"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.9" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.53" steps="103173"/></proof>
+    <proof prover="1"><result status="valid" time="0.53" steps="103185"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.10" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="102533"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="102545"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.11" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="108141"/></proof>
+    <proof prover="1"><result status="valid" time="0.69" steps="108129"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.12" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="105177"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="105165"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.13" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="106256"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="106244"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.14" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="105041"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="105029"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.15" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.50" steps="105520"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="105508"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.16" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="105211"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="105199"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.17" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="108615"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="108603"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.18" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.69" steps="108613"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="108601"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.19" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="105647"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="105635"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.20" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="105458"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="105446"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.21" expl="postcondition" proved="true">
     <transf name="split_vc" proved="true" >
      <goal name="interp_instr&#39;vc.87.13.21.0" expl="postcondition" proved="true">
-     <proof prover="3"><result status="valid" time="0.75" steps="131"/></proof>
+     <proof prover="3"><result status="valid" time="0.65" steps="131"/></proof>
      </goal>
     </transf>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.22" expl="postcondition" proved="true">
     <transf name="split_vc" proved="true" >
      <goal name="interp_instr&#39;vc.87.13.22.0" expl="postcondition" proved="true">
-     <proof prover="3"><result status="valid" time="0.38" steps="121"/></proof>
+     <proof prover="3"><result status="valid" time="0.31" steps="121"/></proof>
      </goal>
     </transf>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.23" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="102355"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="102359"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.24" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="103201"/></proof>
+    <proof prover="1"><result status="valid" time="0.49" steps="103113"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.25" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="103666"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="103645"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.26" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="102355"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="102359"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.27" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="105064"/></proof>
+    <proof prover="1"><result status="valid" time="0.70" steps="105052"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.28" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.50" steps="104372"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="104360"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.29" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="108488"/></proof>
+    <proof prover="1"><result status="valid" time="0.68" steps="108476"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.30" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="102381"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="102385"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.31" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="103869"/></proof>
+    <proof prover="1"><result status="valid" time="0.56" steps="103857"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.32" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="102851"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="102839"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.13.33" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="103055"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="103043"/></proof>
     </goal>
    </transf>
    </goal>
    <goal name="interp_instr&#39;vc.87.14" expl="postcondition" proved="true">
    <transf name="inversion_arg_pr" proved="true" arg1="H">
     <goal name="interp_instr&#39;vc.87.14.0" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="107619"/></proof>
+    <proof prover="1"><result status="valid" time="0.71" steps="107607"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.1" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="99465"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="99453"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.2" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="104394"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="104383"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.3" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="104934"/></proof>
+    <proof prover="1"><result status="valid" time="0.70" steps="104922"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.4" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="100050"/></proof>
+    <proof prover="1"><result status="valid" time="0.51" steps="100038"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.5" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.60" steps="99779"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="99791"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.6" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="104300"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="104129"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.7" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="104658"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="104638"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.8" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="104747"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="104727"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.9" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="100723"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="100735"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.10" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="99819"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="99831"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.11" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.47" steps="105406"/></proof>
+    <proof prover="1"><result status="valid" time="0.68" steps="105394"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.12" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.48" steps="102473"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="102461"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.13" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="103780"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="103768"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.14" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="102565"/></proof>
+    <proof prover="1"><result status="valid" time="0.49" steps="102553"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.15" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="103025"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="103013"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.16" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="102500"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="102488"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.17" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="105878"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="105866"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.18" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="105876"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="105864"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.19" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="102942"/></proof>
+    <proof prover="1"><result status="valid" time="0.50" steps="102930"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.20" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="102724"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="102712"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.21" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.71" steps="109874"/></proof>
+    <proof prover="1"><result status="valid" time="0.71" steps="109863"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.22" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="105138"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="105127"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.23" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="99641"/></proof>
+    <proof prover="1"><result status="valid" time="0.54" steps="99645"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.24" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="100631"/></proof>
+    <proof prover="1"><result status="valid" time="0.48" steps="100399"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.25" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="101210"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="101189"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.26" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="99641"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="99645"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.27" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="102612"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="102600"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.28" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="101682"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="101670"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.29" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.68" steps="105951"/></proof>
+    <proof prover="1"><result status="valid" time="0.72" steps="105939"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.30" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="99667"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="99671"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.31" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="101382"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="101370"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.32" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="100355"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="100343"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.14.33" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="100358"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="100346"/></proof>
     </goal>
    </transf>
    </goal>
    <goal name="interp_instr&#39;vc.87.15" expl="postcondition" proved="true">
    <transf name="inversion_arg_pr" proved="true" arg1="H">
     <goal name="interp_instr&#39;vc.87.15.0" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="99465"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="99453"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.1" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.72" steps="107562"/></proof>
+    <proof prover="1"><result status="valid" time="0.72" steps="107550"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.2" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="104394"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="104383"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.3" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.70" steps="104934"/></proof>
+    <proof prover="1"><result status="valid" time="0.66" steps="104922"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.4" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="100050"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="100038"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.5" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="99779"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="99791"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.6" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.66" steps="104300"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="104129"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.7" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.70" steps="104658"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="104638"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.8" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.70" steps="104747"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="104727"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.9" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="100723"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="100735"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.10" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="99819"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="99831"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.11" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="105406"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="105394"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.12" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.51" steps="102473"/></proof>
+    <proof prover="1"><result status="valid" time="0.64" steps="102461"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.13" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="103780"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="103768"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.14" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="102565"/></proof>
+    <proof prover="1"><result status="valid" time="0.63" steps="102553"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.15" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.58" steps="103025"/></proof>
+    <proof prover="1"><result status="valid" time="0.59" steps="103013"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.16" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="102500"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="102488"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.17" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.57" steps="105878"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="105866"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.18" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.67" steps="105876"/></proof>
+    <proof prover="1"><result status="valid" time="0.68" steps="105864"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.19" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="102942"/></proof>
+    <proof prover="1"><result status="valid" time="0.44" steps="102930"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.20" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.63" steps="102724"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="102712"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.21" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="109874"/></proof>
+    <proof prover="1"><result status="valid" time="0.75" steps="109863"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.22" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.44" steps="105138"/></proof>
+    <proof prover="1"><result status="valid" time="0.72" steps="105127"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.23" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.61" steps="99641"/></proof>
+    <proof prover="1"><result status="valid" time="0.67" steps="99645"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.24" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.47" steps="100631"/></proof>
+    <proof prover="1"><result status="valid" time="0.57" steps="100399"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.25" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="101210"/></proof>
+    <proof prover="1"><result status="valid" time="0.65" steps="101189"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.26" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.62" steps="99641"/></proof>
+    <proof prover="1"><result status="valid" time="0.55" steps="99645"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.27" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.65" steps="102612"/></proof>
+    <proof prover="1"><result status="valid" time="0.62" steps="102600"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.28" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.55" steps="101682"/></proof>
+    <proof prover="1"><result status="valid" time="0.60" steps="101670"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.29" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.54" steps="105951"/></proof>
+    <proof prover="1"><result status="valid" time="0.45" steps="105939"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.30" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.59" steps="99667"/></proof>
+    <proof prover="1"><result status="valid" time="0.61" steps="99671"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.31" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.56" steps="101382"/></proof>
+    <proof prover="1"><result status="valid" time="0.71" steps="101370"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.32" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.64" steps="100355"/></proof>
+    <proof prover="1"><result status="valid" time="0.75" steps="100343"/></proof>
     </goal>
     <goal name="interp_instr&#39;vc.87.15.33" expl="postcondition" proved="true">
-    <proof prover="1"><result status="valid" time="0.74" steps="100358"/></proof>
+    <proof prover="1"><result status="valid" time="0.71" steps="100346"/></proof>
     </goal>
    </transf>
    </goal>
@@ -2370,126 +2386,137 @@
   </goal>
  </transf>
  </goal>
- <goal name="interp_foreach&#39;vc" expl="VC for interp_foreach" proved="true">
+ <goal name="MakeSemantics.MakeInterpreter.interp_foreach&#39;vc" expl="VC for interp_foreach" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="interp_foreach&#39;vc.0" expl="variant decrease" proved="true">
-  <proof prover="3"><result status="valid" time="0.09" steps="29"/></proof>
+  <transf name="split_vc" proved="true" >
+   <goal name="interp_foreach&#39;vc.0.0" expl="variant decrease" proved="true">
+   <proof prover="3"><result status="valid" time="0.11" steps="28"/></proof>
+   </goal>
+   <goal name="interp_foreach&#39;vc.0.1" expl="variant decrease" proved="true">
+   <proof prover="1"><result status="valid" time="0.37" steps="90680"/></proof>
+   </goal>
+  </transf>
   </goal>
   <goal name="interp_foreach&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="0.14" steps="26"/></proof>
+  <proof prover="3" timelimit="10"><result status="valid" time="0.16" steps="26"/></proof>
   </goal>
   <goal name="interp_foreach&#39;vc.2" expl="precondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="interp_foreach&#39;vc.2.0" expl="precondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.11" steps="62"/></proof>
-   </goal>
-  </transf>
+  <proof prover="3" timelimit="10"><result status="valid" time="0.18" steps="62"/></proof>
   </goal>
   <goal name="interp_foreach&#39;vc.3" expl="variant decrease" proved="true">
-  <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="0.08" steps="39"/></proof>
+  <proof prover="3"><result status="valid" time="0.18" steps="39"/></proof>
   </goal>
   <goal name="interp_foreach&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.18" steps="36"/></proof>
+  <proof prover="3"><result status="valid" time="0.21" steps="36"/></proof>
   </goal>
   <goal name="interp_foreach&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.21" steps="36"/></proof>
+  <proof prover="1"><result status="valid" time="0.15" steps="84623"/></proof>
   </goal>
   <goal name="interp_foreach&#39;vc.6" expl="postcondition" proved="true">
-  <proof prover="3" timelimit="10"><result status="valid" time="1.58" steps="1099"/></proof>
+  <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="3.54" steps="1277"/></proof>
   </goal>
   <goal name="interp_foreach&#39;vc.7" expl="postcondition" proved="true">
-  <proof prover="3" timelimit="10"><result status="valid" time="1.51" steps="1024"/></proof>
+  <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="2.96" steps="1024"/></proof>
   </goal>
   <goal name="interp_foreach&#39;vc.8" expl="postcondition" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="interp_foreach&#39;vc.8.0" expl="postcondition" proved="true">
-   <proof prover="3" timelimit="10"><result status="valid" time="0.32" steps="368"/></proof>
+   <proof prover="3"><result status="valid" time="0.34" steps="368"/></proof>
    </goal>
    <goal name="interp_foreach&#39;vc.8.1" expl="postcondition" proved="true">
-   <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="6.42" steps="4178"/></proof>
+   <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="5.48" steps="4178"/></proof>
    </goal>
   </transf>
   </goal>
  </transf>
  </goal>
- <goal name="interp_while&#39;vc" expl="VC for interp_while" proved="true">
+ <goal name="MakeSemantics.MakeInterpreter.interp_while&#39;vc" expl="VC for interp_while" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="interp_while&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.19" steps="28"/></proof>
+  <proof prover="1"><result status="valid" time="0.19" steps="83814"/></proof>
   </goal>
   <goal name="interp_while&#39;vc.1" expl="variant decrease" proved="true">
-  <proof prover="1" timelimit="5"><result status="valid" time="0.64" steps="89957"/></proof>
+  <proof prover="1"><result status="valid" time="0.53" steps="89945"/></proof>
   </goal>
   <goal name="interp_while&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.17" steps="32"/></proof>
+  <proof prover="1"><result status="valid" time="0.25" steps="83853"/></proof>
   </goal>
   <goal name="interp_while&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.28" steps="89929"/></proof>
+  <proof prover="1"><result status="valid" time="0.50" steps="89917"/></proof>
   </goal>
   <goal name="interp_while&#39;vc.4" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.33" steps="91"/></proof>
+  <proof prover="1"><result status="valid" time="0.60" steps="102145"/></proof>
   </goal>
   <goal name="interp_while&#39;vc.5" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.16" steps="131"/></proof>
+  <proof prover="3"><result status="valid" time="0.29" steps="131"/></proof>
   </goal>
   <goal name="interp_while&#39;vc.6" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.18" steps="131"/></proof>
+  <proof prover="3"><result status="valid" time="0.38" steps="131"/></proof>
   </goal>
   <goal name="interp_while&#39;vc.7" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.36" steps="131"/></proof>
+  <proof prover="3"><result status="valid" time="0.33" steps="131"/></proof>
   </goal>
   <goal name="interp_while&#39;vc.8" expl="variant decrease" proved="true">
-  <proof prover="3"><result status="valid" time="0.18" steps="70"/></proof>
+  <proof prover="1"><result status="valid" time="0.61" steps="93942"/></proof>
   </goal>
   <goal name="interp_while&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.17" steps="44"/></proof>
+  <proof prover="1"><result status="valid" time="0.29" steps="86442"/></proof>
   </goal>
   <goal name="interp_while&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.16" steps="44"/></proof>
+  <proof prover="1"><result status="valid" time="0.29" steps="86446"/></proof>
   </goal>
   <goal name="interp_while&#39;vc.11" expl="assertion" proved="true">
-  <proof prover="6"><result status="valid" time="0.36" steps="1552108"/></proof>
+  <transf name="split_vc" proved="true" >
+   <goal name="interp_while&#39;vc.11.0" expl="assertion" proved="true">
+   <proof prover="1" timelimit="10" memlimit="4000"><result status="valid" time="1.39" steps="177480"/></proof>
+   </goal>
+  </transf>
   </goal>
   <goal name="interp_while&#39;vc.12" expl="assertion" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="interp_while&#39;vc.12.0" expl="assertion" proved="true">
-   <proof prover="3" timelimit="60"><result status="valid" time="9.09" steps="1995"/></proof>
+   <proof prover="3" timelimit="20"><result status="valid" time="7.08" steps="1995"/></proof>
    </goal>
   </transf>
   </goal>
   <goal name="interp_while&#39;vc.13" expl="variant decrease" proved="true">
-  <proof prover="3"><result status="valid" time="0.21" steps="54"/></proof>
+  <proof prover="1"><result status="valid" time="0.29" steps="87441"/></proof>
   </goal>
   <goal name="interp_while&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.22" steps="54"/></proof>
+  <proof prover="1"><result status="valid" time="0.27" steps="87396"/></proof>
   </goal>
   <goal name="interp_while&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.16" steps="54"/></proof>
+  <proof prover="1"><result status="valid" time="0.44" steps="91391"/></proof>
   </goal>
   <goal name="interp_while&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.14" steps="87451"/></proof>
+  <proof prover="1"><result status="valid" time="0.31" steps="87439"/></proof>
   </goal>
   <goal name="interp_while&#39;vc.17" expl="postcondition" proved="true">
-  <proof prover="3" timelimit="60"><result status="valid" time="17.63" steps="5255"/></proof>
+  <transf name="split_vc" proved="true" >
+   <goal name="interp_while&#39;vc.17.0" expl="postcondition" proved="true">
+   <proof prover="3" timelimit="30"><result status="valid" time="14.42" steps="5255"/></proof>
+   </goal>
+  </transf>
   </goal>
   <goal name="interp_while&#39;vc.18" expl="postcondition" proved="true">
-  <proof prover="3" timelimit="10"><result status="valid" time="0.46" steps="127"/></proof>
+  <proof prover="3"><result status="valid" time="0.39" steps="127"/></proof>
   </goal>
   <goal name="interp_while&#39;vc.19" expl="postcondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.82" steps="161851"/></proof>
+  <proof prover="3"><result status="valid" time="0.50" steps="143"/></proof>
   </goal>
   <goal name="interp_while&#39;vc.20" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.44" steps="144"/></proof>
+  <proof prover="3"><result status="valid" time="0.41" steps="144"/></proof>
   </goal>
   <goal name="interp_while&#39;vc.21" expl="postcondition" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="interp_while&#39;vc.21.0" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.33" steps="433"/></proof>
+   <proof prover="3"><result status="valid" time="0.54" steps="433"/></proof>
    </goal>
    <goal name="interp_while&#39;vc.21.1" expl="postcondition" proved="true">
    <transf name="split_vc" proved="true" >
     <goal name="interp_while&#39;vc.21.1.0" expl="postcondition" proved="true">
-    <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="4.90" steps="3902"/></proof>
+    <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="5.74" steps="3902"/></proof>
     </goal>
    </transf>
    </goal>
@@ -2497,25 +2524,41 @@
   </goal>
  </transf>
  </goal>
- <goal name="interp_instr&#39;&#39;vc" expl="VC for interp_instr&#39;" proved="true">
- <proof prover="1" timelimit="0" memlimit="0"><result status="valid" time="1.60" steps="171062"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.interp_instr&#39;&#39;vc" expl="VC for interp_instr&#39;" proved="true">
+ <transf name="split_vc" proved="true" >
+  <goal name="interp_instr&#39;&#39;vc.0" expl="variant decrease" proved="true">
+  <proof prover="1"><result status="valid" time="0.33" steps="90418"/></proof>
+  </goal>
+  <goal name="interp_instr&#39;&#39;vc.1" expl="precondition" proved="true">
+  <proof prover="1"><result status="valid" time="0.24" steps="83815"/></proof>
+  </goal>
+  <goal name="interp_instr&#39;&#39;vc.2" expl="precondition" proved="true">
+  <proof prover="1"><result status="valid" time="0.32" steps="92588"/></proof>
+  </goal>
+  <goal name="interp_instr&#39;&#39;vc.3" expl="postcondition" proved="true">
+  <proof prover="1"><result status="valid" time="0.97" steps="114127"/></proof>
+  </goal>
+  <goal name="interp_instr&#39;&#39;vc.4" expl="postcondition" proved="true">
+  <proof prover="1"><result status="valid" time="0.83" steps="100097"/></proof>
+  </goal>
+ </transf>
  </goal>
- <goal name="interp_str_expr&#39;vc" expl="VC for interp_str_expr" proved="true">
+ <goal name="MakeSemantics.MakeInterpreter.interp_str_expr&#39;vc" expl="VC for interp_str_expr" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="interp_str_expr&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.16" steps="28"/></proof>
+  <proof prover="3"><result status="valid" time="0.22" steps="28"/></proof>
   </goal>
   <goal name="interp_str_expr&#39;vc.1" expl="variant decrease" proved="true">
   <proof prover="3"><result status="valid" time="0.26" steps="100"/></proof>
   </goal>
   <goal name="interp_str_expr&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.22" steps="26"/></proof>
+  <proof prover="3"><result status="valid" time="0.20" steps="26"/></proof>
   </goal>
   <goal name="interp_str_expr&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.19" steps="58"/></proof>
+  <proof prover="1"><result status="valid" time="0.76" steps="89741"/></proof>
   </goal>
   <goal name="interp_str_expr&#39;vc.4" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.63" steps="234"/></proof>
+  <proof prover="3"><result status="valid" time="0.68" steps="234"/></proof>
   </goal>
   <goal name="interp_str_expr&#39;vc.5" expl="assertion" proved="true">
   <transf name="split_vc" proved="true" >
@@ -2532,79 +2575,69 @@
   <proof prover="3"><result status="valid" time="0.37" steps="85"/></proof>
   </goal>
   <goal name="interp_str_expr&#39;vc.7" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.34" steps="89"/></proof>
+  <proof prover="3"><result status="valid" time="0.40" steps="89"/></proof>
   </goal>
   <goal name="interp_str_expr&#39;vc.8" expl="variant decrease" proved="true">
-  <proof prover="3"><result status="valid" time="0.28" steps="103"/></proof>
+  <proof prover="3"><result status="valid" time="0.16" steps="103"/></proof>
   </goal>
   <goal name="interp_str_expr&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.19" steps="26"/></proof>
+  <transf name="inversion_arg_pr" proved="true" arg1="H">
+   <goal name="interp_str_expr&#39;vc.9.0" expl="precondition" proved="true">
+   <proof prover="1" timelimit="5"><result status="valid" time="0.36" steps="83803"/></proof>
+   </goal>
+  </transf>
   </goal>
   <goal name="interp_str_expr&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.23" steps="26"/></proof>
+  <proof prover="3"><result status="valid" time="0.15" steps="26"/></proof>
   </goal>
   <goal name="interp_str_expr&#39;vc.11" expl="variant decrease" proved="true">
-  <proof prover="1"><result status="valid" time="0.29" steps="90982"/></proof>
+  <transf name="split_vc" proved="true" >
+   <goal name="interp_str_expr&#39;vc.11.0" expl="variant decrease" proved="true">
+   <proof prover="3"><result status="valid" time="0.17" steps="28"/></proof>
+   </goal>
+   <goal name="interp_str_expr&#39;vc.11.1" expl="variant decrease" proved="true">
+   <transf name="split_vc" proved="true" >
+    <goal name="interp_str_expr&#39;vc.11.1.0" expl="variant decrease" proved="true">
+    <proof prover="3"><result status="valid" time="0.20" steps="78"/></proof>
+    </goal>
+   </transf>
+   </goal>
+  </transf>
   </goal>
   <goal name="interp_str_expr&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.29" steps="26"/></proof>
+  <proof prover="3"><result status="valid" time="0.23" steps="26"/></proof>
   </goal>
   <goal name="interp_str_expr&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.20" steps="26"/></proof>
+  <proof prover="3"><result status="valid" time="0.12" steps="26"/></proof>
   </goal>
   <goal name="interp_str_expr&#39;vc.14" expl="postcondition" proved="true">
-  <transf name="inversion_arg_pr" proved="true" arg1="H">
-   <goal name="interp_str_expr&#39;vc.14.0" expl="postcondition" proved="true">
-   <proof prover="1" timelimit="5"><result status="valid" time="0.68" steps="95576"/></proof>
-   </goal>
-   <goal name="interp_str_expr&#39;vc.14.1" expl="postcondition" proved="true">
-   <proof prover="1" timelimit="5"><result status="valid" time="0.54" steps="95697"/></proof>
-   </goal>
-   <goal name="interp_str_expr&#39;vc.14.2" expl="postcondition" proved="true">
-   <proof prover="1" timelimit="5"><result status="valid" time="0.77" steps="98716"/></proof>
-   </goal>
-   <goal name="interp_str_expr&#39;vc.14.3" expl="postcondition" proved="true">
-   <proof prover="3" timelimit="5"><result status="valid" time="0.65" steps="286"/></proof>
-   </goal>
-   <goal name="interp_str_expr&#39;vc.14.4" expl="postcondition" proved="true">
-   <proof prover="3" timelimit="5"><result status="valid" time="0.42" steps="48"/></proof>
-   </goal>
-   <goal name="interp_str_expr&#39;vc.14.5" expl="postcondition" proved="true">
-   <proof prover="1"><result status="valid" time="0.35" steps="97395"/></proof>
-   </goal>
-   <goal name="interp_str_expr&#39;vc.14.6" expl="postcondition" proved="true">
-   <proof prover="3" timelimit="5"><result status="valid" time="0.39" steps="388"/></proof>
-   </goal>
-   <goal name="interp_str_expr&#39;vc.14.7" expl="postcondition" proved="true">
-   <proof prover="1"><result status="valid" time="0.33" steps="97970"/></proof>
-   </goal>
-  </transf>
+  <proof prover="3"><result status="valid" time="0.28" steps="94"/></proof>
   </goal>
   <goal name="interp_str_expr&#39;vc.15" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.22" steps="110"/></proof>
+  <proof prover="3"><result status="valid" time="0.19" steps="110"/></proof>
   </goal>
   <goal name="interp_str_expr&#39;vc.16" expl="postcondition" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="interp_str_expr&#39;vc.16.0" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.38" steps="582"/></proof>
+   <proof prover="3"><result status="valid" time="0.42" steps="582"/></proof>
    </goal>
    <goal name="interp_str_expr&#39;vc.16.1" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.35" steps="640"/></proof>
+   <proof prover="3"><result status="valid" time="0.54" steps="640"/></proof>
    </goal>
    <goal name="interp_str_expr&#39;vc.16.2" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.49" steps="726"/></proof>
+   <proof prover="3"><result status="valid" time="0.58" steps="726"/></proof>
    </goal>
    <goal name="interp_str_expr&#39;vc.16.3" expl="postcondition" proved="true">
    <transf name="split_vc" proved="true" >
     <goal name="interp_str_expr&#39;vc.16.3.0" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.31" steps="591"/></proof>
+    <proof prover="3"><result status="valid" time="0.46" steps="591"/></proof>
     </goal>
    </transf>
    </goal>
    <goal name="interp_str_expr&#39;vc.16.4" expl="postcondition" proved="true">
    <transf name="split_vc" proved="true" >
     <goal name="interp_str_expr&#39;vc.16.4.0" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.92" steps="1384"/></proof>
+    <proof prover="3" timelimit="10" memlimit="4000"><result status="valid" time="0.96" steps="1384"/></proof>
     </goal>
    </transf>
    </goal>
@@ -2612,64 +2645,49 @@
   </goal>
  </transf>
  </goal>
- <goal name="interp_list_expr&#39;vc" expl="VC for interp_list_expr" proved="true">
+ <goal name="MakeSemantics.MakeInterpreter.interp_list_expr&#39;vc" expl="VC for interp_list_expr" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="interp_list_expr&#39;vc.0" expl="variant decrease" proved="true">
-  <transf name="inversion_arg_pr" proved="true" arg1="H">
-   <goal name="interp_list_expr&#39;vc.0.0" expl="variant decrease" proved="true">
-   <proof prover="1"><result status="valid" time="0.67" steps="93178"/></proof>
-   </goal>
-  </transf>
+  <proof prover="1"><result status="valid" time="0.43" steps="90202"/></proof>
   </goal>
   <goal name="interp_list_expr&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.14" steps="83844"/></proof>
+  <proof prover="1"><result status="valid" time="0.16" steps="83832"/></proof>
   </goal>
   <goal name="interp_list_expr&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.19" steps="26"/></proof>
+  <proof prover="1"><result status="valid" time="0.26" steps="83836"/></proof>
   </goal>
   <goal name="interp_list_expr&#39;vc.3" expl="variant decrease" proved="true">
-  <proof prover="3"><result status="valid" time="0.30" steps="116"/></proof>
+  <proof prover="3"><result status="valid" time="0.26" steps="116"/></proof>
   </goal>
   <goal name="interp_list_expr&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.26" steps="26"/></proof>
+  <proof prover="1"><result status="valid" time="0.26" steps="84552"/></proof>
   </goal>
   <goal name="interp_list_expr&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.20" steps="26"/></proof>
+  <proof prover="1"><result status="valid" time="0.27" steps="84556"/></proof>
   </goal>
   <goal name="interp_list_expr&#39;vc.6" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.20" steps="96"/></proof>
+  <proof prover="1"><result status="valid" time="0.56" steps="101289"/></proof>
   </goal>
   <goal name="interp_list_expr&#39;vc.7" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="interp_list_expr&#39;vc.7.0" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.15" steps="104"/></proof>
-   </goal>
-  </transf>
+  <proof prover="3"><result status="valid" time="0.20" steps="104"/></proof>
   </goal>
   <goal name="interp_list_expr&#39;vc.8" expl="postcondition" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="interp_list_expr&#39;vc.8.0" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.15" steps="335"/></proof>
+   <proof prover="3"><result status="valid" time="0.17" steps="335"/></proof>
    </goal>
    <goal name="interp_list_expr&#39;vc.8.1" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.61" steps="1235"/></proof>
+   <proof prover="3"><result status="valid" time="0.65" steps="1235"/></proof>
    </goal>
   </transf>
   </goal>
  </transf>
  </goal>
- <goal name="interp_function_definitions&#39;vc" expl="VC for interp_function_definitions" proved="true">
- <proof prover="1"><result status="valid" time="0.64" steps="94462"/></proof>
+ <goal name="MakeSemantics.MakeInterpreter.interp_function_definitions&#39;vc" expl="VC for interp_function_definitions" proved="true">
+ <proof prover="1" timelimit="0" memlimit="0"><result status="valid" time="0.60" steps="94451"/></proof>
  </goal>
- <goal name="interp_program&#39;vc" expl="VC for interp_program" proved="true">
- <transf name="split_vc" proved="true" >
-  <goal name="interp_program&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.40" steps="84914"/></proof>
-  </goal>
-  <goal name="interp_program&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.65" steps="90952"/></proof>
-  </goal>
- </transf>
+ <goal name="MakeSemantics.MakeInterpreter.interp_program&#39;vc" expl="VC for interp_program" proved="true">
+ <proof prover="3"><result status="valid" time="0.16" steps="67"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/src/symbolic/symbolicInterpreter/why3shapes.gz b/src/symbolic/symbolicInterpreter/why3shapes.gz
index 8333f195..55bd1abb 100644
Binary files a/src/symbolic/symbolicInterpreter/why3shapes.gz and b/src/symbolic/symbolicInterpreter/why3shapes.gz differ
diff --git a/src/symbolic/symbolicUtility.ml b/src/symbolic/symbolicUtility.ml
index a419e265..1509df97 100644
--- a/src/symbolic/symbolicUtility.ml
+++ b/src/symbolic/symbolicUtility.ml
@@ -1,302 +1,352 @@
-open Colis_internals
 open Colis_constraints
 open Semantics__Result
 open Semantics__Buffers
-open SymbolicInterpreter__Semantics
-
-type utility = state -> (state * bool result) list
-
-let return result : utility =
-  function sta -> [sta, Ok result]
-
-let apply_to_list l u =
-  (* apply utility [u] to a list [l] of states *)
-  List.concat (List.map u l)
-
-let separate_states l =
-  (* split a list of pairs state*bool into the list of states with flag
-     [true] and the list of pairs with flag [false]
-   *)
-  let rec separate_aux posacc negacc incacc = function
-    | [] -> (posacc,negacc,incacc)
-    | (s, Ok true)::l -> separate_aux (s::posacc) negacc incacc l
-    | (s, Ok false)::l -> separate_aux posacc (s::negacc) incacc l
-    | (_, Incomplete) as s::l -> separate_aux posacc negacc (s::incacc) l
-  in separate_aux [] [] [] l
-
-let choice u1 u2 =
-  (* non-deterministic choice *)
-  function state -> (u1 state) @ (u2 state)
-
-let if_then_else (cond:utility) (posbranch:utility) (negbranch:utility) =
-  function sta ->
-    let (posstates,negstates,incstates) = separate_states (cond sta)
-    in
-    (apply_to_list posstates posbranch)
-    @ (apply_to_list negstates negbranch)
-    @ incstates
 
-let if_then (cond:utility) (posbranch:utility) =
-  function sta ->
-    let (posstates,negstates,incstates) = separate_states (cond sta)
-    in
-    (apply_to_list posstates posbranch)
-    @ (List.map (function sta -> (sta,Ok true)) negstates)
-    @ incstates
-
-let uneg (u:utility) : utility = fun st ->
-  List.map (function (s,Ok b) -> (s, Ok (not b)) | x -> x) (u st)
-
-let combine_results combinator u1 u2 : utility = fun st ->
-  List.flatten
-    (List.map
-       (function (s1,Ok b1) ->
-          List.map (function
-              | (s2,Ok b2) -> (s2,Ok(combinator b1 b2))
-              | x -> x) (u2 s1)
-          | x -> [x])
-       (u1 st))
-
-let uand =
-  combine_results ( && )
-
-let uor =
-  combine_results ( || )
-
-let multiple_times what args : utility =
-  let rec aux = function
-    | [] -> assert false (* By precondition. *)
-    | [x] -> what x
-    | x :: xs -> uand (what x) (aux xs)
-  in
-  aux args
-
-let compose_non_strict (u1:utility) (u2:utility) =
-  function sta ->
-    apply_to_list (List.map fst (u1 sta)) u2
-
-let compose_strict (u1:utility) (u2:utility) =
-  function sta ->
-    let (success1,failure1,incomplete1) = separate_states (u1 sta)
-    in (apply_to_list success1 u2) @
-       (List.map (function sta -> (sta,Ok false)) failure1) @
-       incomplete1
-
-let print_output ~newline str output =
-  let output = Stdout.output str output in
-  if newline then Stdout.newline output else output
-
-let print_stdout ~newline str sta =
-  let stdout = print_output ~newline str sta.stdout in
-  let log = print_output ~newline str sta.log in
-  {sta with stdout; log}
-
-let print_error str sta =
-  let log = print_output ~newline:true ("[ERROR] "^str) sta.log in
-  {sta with log}
-
-let print_utility_trace str sta =
-  if String.equal str "" then
-    sta
-  else
-    let log =
-      print_output ~newline:true ("[TRACE] "^str) sta.log in
-    {sta with log}
+module type FILESYSTEM = sig
+  type filesystem
+end
 
-let print_incomplete_trace str sta =
-  if String.equal str "" then
-    sta
-  else
-    let log = print_output ~newline:true ("[INCOMPLETE] "^str) sta.log in
-    {sta with log}
+module type CASESPEC = sig
+  type case_spec
+  val noop : case_spec
+  type filesystem
+  val apply_spec : filesystem -> case_spec -> filesystem list
+end
 
-type case_spec = Var.t -> Var.t -> Clause.t
+module Make (Filesystem: FILESYSTEM) = struct
 
-let noop : case_spec =
-  Clause.eq
+  module Semantics = SymbolicInterpreter__Interpreter.MakeSemantics (Filesystem)
+  open Semantics
 
-type case = {
-  result : bool result;
-  spec : case_spec;
-  descr : string;
-  stdout : Stdout.t ;
-  error_message: string option;
-}
+  type utility = state -> (state * bool result) list
+
+  let print_output ~newline str output =
+    let output = Stdout.output str output in
+    if newline then Stdout.newline output else output
 
-let success_case ~descr ?(stdout=Stdout.empty) spec =
-  { result = Ok true ; error_message = None ; stdout ; descr; spec }
-
-let error_case ~descr ?(stdout=Stdout.empty) ?error_message spec =
-  { result = Ok false ; error_message ; stdout ; descr ; spec }
-
-let incomplete_case ~descr spec =
-  { result = Incomplete ;
-    descr ;
-    stdout = Stdout.empty ;
-    error_message = None;
-    spec }
-
-(** Apply the case specifications to a filesystem, resulting in a list of possible filesystems. *)
-let apply_spec fs spec =
-  let open SymbolicInterpreter__Filesystem in
-  let root_is_root0 =
-    (* fs.root0 = Some fs.root - garbare-collect fs.root only otherwise *)
-    match fs.root0 with
-    | Some root0 -> Var.equal root0 fs.root
-    | None -> false in
-  let root' = Var.fresh ~hint:(Var.hint fs.root) () in
-  let clause = spec fs.root root' in
-  let clauses = Clause.add_to_sat_conj clause fs.clause in
-  let clauses =
-    if root_is_root0 then
-      clauses
+  let print_stdout ~newline str sta =
+    let stdout = print_output ~newline str sta.stdout in
+    let log = print_output ~newline str sta.log in
+    {sta with stdout; log}
+
+  let print_error str sta =
+    let log = print_output ~newline:true ("[ERROR] "^str) sta.log in
+    {sta with log}
+
+  let print_utility_trace str sta =
+    if String.equal str "" then
+      sta
     else
-      List.flatten
-        (List.map (Clause.quantify_over_and_simplify fs.root)
-           clauses) in
-  List.map (fun clause -> {fs with clause; root=root'}) clauses
-
-(** Apply a case to a state.
-
-    This may result in multiple states because the integration of the case clause in the
-    filesystem may result in multiple clauses. *)
-let apply_case sta case : (state * bool result) list =
-  (* First print the utility trace *)
-  let sta =
-    if case.result = Incomplete
-    then sta (* Print incomplete trace last *)
-    else print_utility_trace case.descr sta in
-  let sta = {
-    (* output case stdout to stdout and log *)
-    stdout = Stdout.concat sta.stdout case.stdout;
-    log = Stdout.concat sta.log case.stdout;
-    (* don't touch stdin *)
-    stdin = sta.stdin;
-    (* and keep the filesystem (may be changed by apply_spec) *)
-    filesystem = sta.filesystem;
-  } in
-  (* (Optionally) print error message *)
-  let sta =
-    match case.error_message with
-    | Some msg -> print_error msg sta
-    | None -> sta in
-  let sta =
-    if case.result = Incomplete
-    then print_incomplete_trace case.descr sta
-    else sta in
-  (* Apply the case specifications to the filesystem *)
-  apply_spec sta.filesystem case.spec |>
-  (* Inject the resulting filesystems into the state *)
-  List.map (fun filesystem -> {sta with filesystem}) |>
-  (* Add the result to each result state *)
-  List.map (fun sta -> sta, case.result)
-
-let specification_cases cases state =
-  List.flatten (List.map (apply_case state) cases)
-
-(******************************************************************************)
-(*                                  Auxiliaries                               *)
-(******************************************************************************)
-
-let last_comp_as_hint: root:Var.t -> Path.t -> string option =
-  fun ~root path ->
-    match Path.split_last path with
-    | Some (_, Down f) ->
-      Some (Feat.to_string f)
-    | None -> (* Empty parent path => root *)
-      Some (Var.hint root)
-    | Some (_, (Here|Up)) ->
-       (* We can’t know (if last component in parent path is a symbolic link) *)
-      None
+      let log = print_output ~newline:true ("[TRACE] "^str) sta.log in
+      {sta with log}
 
-let error ~utility msg : utility =
-  fun sta ->
-    let str = utility ^ ": " ^ msg in
-    let sta' = print_error str sta in
-    [ sta', Ok false ]
+  let print_incomplete_trace str sta =
+    let log = print_output ~newline:true ("[INCOMPLETE] "^str) sta.log in
+    {sta with log}
 
-let incomplete ~utility msg : utility =
-  fun sta ->
+  let error ~utility msg : utility =
+    fun sta ->
     let str = utility ^ ": " ^ msg in
-    [print_incomplete_trace str sta, Incomplete]
+    let sta = print_error str sta in
+    [sta, Ok false]
 
-let unknown ~utility msg : utility =
-  match !Options.unknown_behaviour with
-  | Exception -> raise (Errors.Unknown_behaviour (utility, msg))
-  | Incomplete -> incomplete ~utility msg
-  | Error -> error ~utility "not found"
+  let incomplete ~utility msg : utility =
+    fun sta ->
+    let str = utility ^ ": " ^ msg in
+    let sta = print_incomplete_trace str sta in
+    [sta, Incomplete]
+
+  let unknown ~utility msg : utility =
+    let open Colis_internals in
+    match !Options.unknown_behaviour with
+    | Exception -> raise (Errors.Unknown_behaviour (utility, msg))
+    | Incomplete -> incomplete ~utility msg
+    | Error -> error ~utility "not found"
+
+  let table : (string, utility_context -> utility) Hashtbl.t =
+    let table = Hashtbl.create 10 in
+    (* TODO Register all POSIX utilities as: incomplete ~descr:(name^": not implemented") *)
+    table
+
+  module type SYMBOLIC_UTILITY = sig
+    val name : string
+    val interprete : utility_context -> utility
+  end
+
+  let register (module M: SYMBOLIC_UTILITY) =
+    Hashtbl.replace table M.name M.interprete
+
+  let is_registered = Hashtbl.mem table
+
+  let dispatch ~name =
+    try Hashtbl.find table name
+    with Not_found ->
+    fun _ctx sta ->
+      unknown ~utility:name "command not found" sta
 
-module IdMap = Env.IdMap
+  module Arg = struct
+    let sym_interp_utility (ctx, name, sta) =
+      dispatch ~name ctx sta
+  end
+
+  module Interpreter = MakeInterpreter (Arg)
+
+  type sym_state = {
+    context : Semantics__Context.context;
+    state : Semantics.state;
+  }
+
+  let interp_program inp stas pro =
+    let stas = List.map (fun {context; state} -> Interpreter.({context; state; data=()})) stas in
+    Interpreter.interp_program inp stas pro
+
+  let call name ctx args =
+    dispatch ~name {ctx with args}
+
+  let return result : utility =
+    function sta ->
+      [sta, Ok result]
+
+  let apply_to_list l u =
+    (* apply utility [u] to a list [l] of states *)
+    List.concat (List.map u l)
+
+  let separate_states l =
+    (* split a list of pairs state*bool into the list of states with flag
+       [true] and the list of pairs with flag [false]
+    *)
+    let rec separate_aux posacc negacc incacc = function
+      | [] -> (posacc,negacc,incacc)
+      | (s, Ok true)::l -> separate_aux (s::posacc) negacc incacc l
+      | (s, Ok false)::l -> separate_aux posacc (s::negacc) incacc l
+      | (_, Incomplete) as s::l -> separate_aux posacc negacc (s::incacc) l
+    in separate_aux [] [] [] l
+
+  let choice u1 u2 =
+    (* non-deterministic choice *)
+    function state -> (u1 state) @ (u2 state)
+
+  let if_then_else (cond:utility) (posbranch:utility) (negbranch:utility) =
+    function sta ->
+      let (posstates,negstates,incstates) = separate_states (cond sta)
+      in
+      (apply_to_list posstates posbranch)
+      @ (apply_to_list negstates negbranch)
+      @ incstates
+
+  let if_then (cond:utility) (posbranch:utility) =
+    function sta ->
+      let (posstates,negstates,incstates) = separate_states (cond sta)
+      in
+      (apply_to_list posstates posbranch)
+      @ (List.map (function sta -> (sta,Ok true)) negstates)
+      @ incstates
+
+  let uneg (u:utility) : utility = fun st ->
+    List.map (function (s,Ok b) -> (s, Ok (not b)) | x -> x) (u st)
+
+  let combine_results combinator u1 u2 : utility = fun st ->
+    List.flatten
+      (List.map
+         (function (s1,Ok b1) ->
+            List.map (function
+                | (s2,Ok b2) -> (s2,Ok(combinator b1 b2))
+                | x -> x) (u2 s1)
+                 | x -> [x])
+         (u1 st))
+
+  let uand =
+    combine_results ( && )
+
+  let uor =
+    combine_results ( || )
+
+  let multiple_times what args : utility =
+    let rec aux = function
+      | [] -> assert false (* By precondition. *)
+      | [x] -> what x
+      | x :: xs -> uand (what x) (aux xs)
+    in
+    aux args
+
+  let compose_non_strict (u1:utility) (u2:utility) =
+    function sta ->
+      apply_to_list (List.map fst (u1 sta)) u2
+
+  let compose_strict (u1:utility) (u2:utility) =
+    function sta ->
+      let (success1,failure1,incomplete1) = separate_states (u1 sta)
+      in (apply_to_list success1 u2) @
+         (List.map (function sta -> (sta,Ok false)) failure1) @
+         incomplete1
+
+  (******************************************************************************)
+  (*                                  Auxiliaries                               *)
+  (******************************************************************************)
+
+  let null_formatter = Format.make_formatter (fun _ _ _ -> ()) (fun () -> ())
+
+  let with_formatter_to_string f =
+    let buf = Buffer.create 8 in
+    let fmt = Format.formatter_of_buffer buf in
+    let v =f fmt in
+    Format.pp_print_flush fmt ();
+    (Buffer.contents buf, v)
+
+  let cmdliner_eval_utility ~utility ?(empty_pos_args=false) fun_and_args ctx =
+    let pos_args = Cmdliner.Arg.(
+        (if empty_pos_args then value else non_empty)
+        & pos_all string []
+        & info [])
+    in
+    let argv = ctx.args |> List.cons utility |> Array.of_list in
+    let (err, result) =
+      with_formatter_to_string @@ fun err ->
+      Cmdliner.Term.(
+        eval
+          (
+            fun_and_args $ const ctx $ pos_args,
+            info utility ~exits:default_exits
+          )
+          ~argv
+          ~env:(fun var -> Env.SMap.find_opt var ctx.env)
+          ~help:null_formatter ~err ~catch:false
+      )
+    in
+    match result with
+    | `Ok a -> a
+    | `Version -> error ~utility "version"
+    | `Help -> error ~utility "help"
+    | `Error (`Parse | `Term) -> unknown ~utility ("parse error: " ^ err)
+    | `Error `Exn -> assert false (* because ~catch:false *)
+
+  (**/**)
+
+  module MakeSpecifications (CaseSpec: CASESPEC with type filesystem = Filesystem.filesystem) = struct
+
+    type case = {
+      result : bool result;
+      spec : CaseSpec.case_spec;
+      descr : string;
+      stdout : Stdout.t ;
+      error_message: string option;
+    }
+
+    let success_case ~descr ?(stdout=Stdout.empty) spec =
+      { result = Ok true ; error_message = None ; stdout ; descr; spec }
+
+    let error_case ~descr ?(stdout=Stdout.empty) ?error_message spec =
+      { result = Ok false ; error_message ; stdout ; descr ; spec }
+
+    let incomplete_case ~descr spec =
+      { result = Incomplete ;
+        descr ;
+        stdout = Stdout.empty ;
+        error_message = None;
+        spec }
+
+    (** Apply a case to a state.
+
+        This may result in multiple states because the integration of the case clause in the
+        filesystem may result in multiple clauses. *)
+    let apply_case sta case : (state * bool result) list =
+      (* First print the utility trace *)
+      let sta =
+        if case.result = Incomplete
+        then sta (* Print incomplete trace last *)
+        else print_utility_trace case.descr sta in
+      let sta = {
+        (* output case stdout to stdout and log *)
+        stdout = Stdout.concat sta.stdout case.stdout;
+        log = Stdout.concat sta.log case.stdout;
+        (* don't touch stdin *)
+        stdin = sta.stdin;
+        (* and keep the filesystem (may be changed by apply_spec) *)
+        filesystem = sta.filesystem;
+      } in
+      (* (Optionally) print error message *)
+      let sta =
+        match case.error_message with
+        | Some msg -> print_error msg sta
+        | None -> sta in
+      let sta =
+        if case.result = Incomplete
+        then print_incomplete_trace case.descr sta
+        else sta in
+      (* Apply the case specifications to the filesystem *)
+      CaseSpec.apply_spec sta.filesystem case.spec |>
+      (* Inject the resulting filesystems into the state *)
+      List.map (fun filesystem -> {sta with filesystem}) |>
+      (* Add the result to each result state *)
+      List.map (fun sta -> sta, case.result)
+
+    let specification_cases cases state =
+      List.flatten (List.map (apply_case state) cases)
+  end
+end
 
-type context = {
-  args: string list;
-  cwd: Path.normal;
-  env: string IdMap.t;
+type symbolic_filesystem = {
+  root: Var.t;
+  clause: Clause.sat_conj;
+  root0: Var.t option;
 }
 
-module type SYMBOLIC_UTILITY = sig
-  val name : string
-  val interprete : context -> utility
+module SymbolicImplementation = struct
+
+  type case_spec = Var.t -> Var.t -> Clause.t
+
+  let noop = Clause.eq
+
+  type filesystem = symbolic_filesystem
+
+  (** Apply the case specifications to a filesystem, resulting in a list of possible filesystems. *)
+  let apply_spec fs spec =
+    let root_is_root0 =
+      (* fs.root0 = Some fs.root - garbare-collect fs.root only otherwise *)
+      match fs.root0 with
+      | Some root0 -> Var.equal root0 fs.root
+      | None -> false in
+    let root' = Var.fresh ~hint:(Var.hint fs.root) () in
+    let clause = spec fs.root root' in
+    let clauses = Clause.add_to_sat_conj clause fs.clause in
+    let clauses =
+      if root_is_root0 then
+        clauses
+      else
+        List.flatten
+          (List.map (Clause.quantify_over_and_simplify fs.root)
+             clauses) in
+    List.map (fun clause -> {fs with clause; root=root'}) clauses
 end
 
-let table =
-  let table = Hashtbl.create 10 in
-  (* TODO Register all POSIX utilities as: incomplete ~descr:(name^": not implemented") *)
-  table
+module Symbolic = struct
 
-let register (module M:SYMBOLIC_UTILITY) =
-  Hashtbl.replace table M.name M.interprete
+  include Make (SymbolicImplementation)
 
-let is_registered = Hashtbl.mem table
+  include MakeSpecifications (SymbolicImplementation)
 
-let dispatch ~name =
-  try Hashtbl.find table name
-  with Not_found ->
-    fun _ctx sta ->
-      unknown ~utility:name "command not found" sta
+  type context = Semantics.utility_context = {
+    cwd: Colis_constraints.Path.normal;
+    env: string Env.SMap.t;
+    args: string list;
+  }
 
-let call name ctx args =
-  dispatch ~name {ctx with args}
-
-let dispatch' (cwd, env, args) name sta =
-  let cwd = List.map Colis_constraints.Feat.from_string cwd in
-  let ctx = {cwd; args; env} in
-  BatSet.of_list (dispatch ~name ctx sta)
-
-(**/**)
-
-let null_formatter = Format.make_formatter (fun _ _ _ -> ()) (fun () -> ())
-
-let with_formatter_to_string f =
-  let buf = Buffer.create 8 in
-  let fmt = Format.formatter_of_buffer buf in
-  let v =f fmt in
-  Format.pp_print_flush fmt ();
-  (Buffer.contents buf, v)
-
-let cmdliner_eval_utility ~utility ?(empty_pos_args=false) fun_and_args ctx =
-  let pos_args = Cmdliner.Arg.(
-      (if empty_pos_args then value else non_empty)
-      & pos_all string []
-      & info [])
-  in
-  let argv = ctx.args |> List.cons utility |> Array.of_list in
-  let (err, result) =
-    with_formatter_to_string @@ fun err ->
-    Cmdliner.Term.(
-      eval
-        (
-          fun_and_args $ const ctx $ pos_args,
-          info utility ~exits:default_exits
-        )
-        ~argv
-        ~env:(fun var -> Env.IdMap.find_opt var ctx.env)
-        ~help:null_formatter ~err ~catch:false
-    )
-  in
-  match result with
-  | `Ok a -> a
-  | `Version -> error ~utility "version"
-  | `Help -> error ~utility "help"
-  | `Error (`Parse | `Term) -> unknown ~utility ("parse error: " ^ err)
-  | `Error `Exn -> assert false (* because ~catch:false *)
+  type filesystem = symbolic_filesystem = {
+    root: Var.t;
+    clause: Clause.sat_conj;
+    root0: Var.t option;
+  }
+
+  let noop = SymbolicImplementation.noop
+
+  let last_comp_as_hint: root:Var.t -> Path.t -> string option =
+    fun ~root path ->
+    match Path.split_last path with
+    | Some (_, Down f) ->
+      Some (Feat.to_string f)
+    | None -> (* Empty parent path => root *)
+      Some (Var.hint root)
+    | Some (_, (Here|Up)) ->
+      (* We can’t know (if last component in parent path is a symbolic link) *)
+      None
+end
diff --git a/src/symbolic/symbolicUtility.mli b/src/symbolic/symbolicUtility.mli
index a65a76c4..dfc4f55e 100644
--- a/src/symbolic/symbolicUtility.mli
+++ b/src/symbolic/symbolicUtility.mli
@@ -1,150 +1,203 @@
 open Colis_constraints
-open SymbolicInterpreter__Semantics
-open Semantics__Result
+open Syntax__Syntax
 open Semantics__Buffers
+open Semantics__Context
+open Semantics__Input
+open Semantics__Result
 
-(** {1 Basics of symbolic utility} *)
+(** Definition of a symbolic filesystem to instantiate the symbolic interpreter *)
+module type FILESYSTEM = sig
+  type filesystem
+end
 
-(** A utility transforms a symbolic state into a list of symbolic states
-    with boolean results *)
-type utility = state -> (state * bool result) list
+(** Definition of a case specification and its application to a filesystem to define
+    utilities by specifications. *)
+module type CASESPEC = sig
 
-(** The concrete evaluation context. It contains the fields from
-    Colis.Semantics.Context.context that are relevant to the utilities. *)
-type context = {
-  args: string list; (** Command arguments *)
-  cwd: Path.normal; (** Current working directory *)
-  env: string Env.IdMap.t; (** Variable environment *)
-}
+  (** A case specification is a function from the old root variable and the new root root
+      variable to a clause. *)
+  type case_spec
+
+  (** The no-op case specification introduces an equality constraint between the old root
+      and the new root. *)
+  val noop : case_spec
 
-(** A symbolic utility is comprised of a name and a function that interpretes a [utility]
-    in a [context]. *)
-module type SYMBOLIC_UTILITY = sig
-  val name : string
-  val interprete : context -> utility
+  type filesystem
+
+  (** Apply a case specification to a filesystem, resulting in possible multiple new
+      filesystems *)
+  val apply_spec : filesystem -> case_spec -> filesystem list
 end
 
-(** {1 Specifications of a symbolic utility} *)
+module Make (Filesystem: FILESYSTEM) : sig
+
+  module Semantics : module type of SymbolicInterpreter__Interpreter.MakeSemantics (Filesystem)
+
+  open Semantics
 
-(** A case in the specification is either a success or an error *)
-type case
+  (** {1 Interpretation of a colis program} *)
 
-(** A case specification is a function from the old root variable and the new root root
-    variable to a clause. *)
-type case_spec = Var.t -> Var.t -> Clause.t
+  type sym_state = {
+    context : context;
+    state : state;
+  }
 
-(** The no-op case specification introduces an equality constraint between the old root
-    and the new root. *)
-val noop : case_spec
+  (** [interp_program inp stas p] symbolic interpretation configured by [inp] of a program
+      [p] in a list of symbolic input states [stas]. Returns the symbolic states
+      representing successful, errorneous, and incomplete interpretation. *)
+  val interp_program : input -> sym_state list -> program -> state list * state list * state list
 
-(** A success case (aka. return 0) *)
-val success_case: descr:string -> ?stdout:Stdout.t -> case_spec -> case
+  (** {1 Basics of symbolic utility} *)
 
-(** An error case (aka return 1) *)
-val error_case: descr:string -> ?stdout:Stdout.t -> ?error_message:string -> case_spec -> case
+  (** A utility transforms a symbolic state into a list of symbolic states
+      with boolean results *)
+  type utility = state -> (state * bool result) list
 
-(** An incomplete case (unknown behaviour, cannot be symbolically executed) *)
-val incomplete_case: descr:string -> case_spec -> case
+  (** {1 Registration and dispatch of utilities} *)
 
-(** Use a list of cases to specify a utility. Corresponds to a table in the
-    document "Specification of UNIX Utilities "*)
-val specification_cases : case list -> utility
+  (** A symbolic utility is comprised of a name and a function that interpretes a [utility]
+      in a [context]. *)
+  module type SYMBOLIC_UTILITY = sig
+    val name : string
+    val interprete : utility_context -> utility
+  end
 
-(** {1 Registration} *)
+  (** Register a symbolic utility *)
+  val register : (module SYMBOLIC_UTILITY) -> unit
 
-(** Register a symbolic utility *)
-val register : (module SYMBOLIC_UTILITY) -> unit
+  val is_registered : string -> bool
 
-val is_registered : string -> bool
+  (** A saner way to call [dispatch] (e.g. in the implementation of utilities) *)
+  val call : string -> utility_context -> string list -> utility
 
-(** {1 Dispatch} *)
+  (** {1 Basic utilities} *)
 
-(** Entry-point for the interpretation of symbolic utilties *)
-val dispatch : name:string -> context -> utility
+  (** Error utility *)
+  val error : utility:string -> string -> utility
 
-(** A saner way to call [dispatch] (e.g. in the implementation of utilities) *)
-val call : string -> context -> string list -> utility
+  (** Unsupported stuff in a known utility. *)
+  val incomplete : utility:string -> string -> utility
 
-(** {1 Combinators} *)
+  (* Unknown-unknown behaviour *)
+  val unknown : utility:string -> string -> utility
 
-(** [choice u1 u2]  yields the utility that non-deterministacillay
-    behaves like [u1] or [u2].  *)
-val choice : utility -> utility -> utility
+  (** {2 Printing} *)
 
-(** [return b] yields the utility that does not change its state, and
-    succeeds if and only if [b] is [true] *)
-val return : bool -> utility
+  (** Print to stdout and log *)
+  val print_stdout : newline:bool -> string -> state -> state
 
-(** [if_then_else u1 u2 u3] yields the utility that behaves like
-    if [u1]  then [u2] else [u3] fi *)
-val if_then_else : utility -> utility -> utility -> utility
+  (** Print message as utility trace to log if it is not empty (marked as [UTL]) *)
+  val print_utility_trace : string -> state -> state
 
-(** [if_then u1 u2] yields the utility that behaves like
-    if [u1] then [u2] fi *)
-val if_then : utility -> utility -> utility
+  (** {1 Utility combinators} *)
 
-(** [uneg u] yields the utility that behaves like [u] but inverts its result *)
-val uneg : utility -> utility
+  (** [choice u1 u2]  yields the utility that non-deterministacillay
+      behaves like [u1] or [u2].  *)
+  val choice : utility -> utility -> utility
 
-(** [uand u1 u2] yields the utility that behaves like [u1 && u2] in a NON-LAZY manner *)
-val uand : utility -> utility -> utility
+  (** [return b] yields the utility that does not change its state, and
+      succeeds if and only if [b] is [true] *)
+  val return : bool -> utility
 
-(** [uor u1 u2] yields the utility that behaves like [u1 || u2] in a NON-LAZY manner *)
-val uor : utility -> utility -> utility
+  (** [if_then_else u1 u2 u3] yields the utility that behaves like
+      if [u1]  then [u2] else [u3] fi *)
+  val if_then_else : utility -> utility -> utility -> utility
 
-(** multiple_times [what] [args] executes [what] on every argument in
-   [args]. It does not stop if one of these executions fails but the
-   global utility fails in the case. *)
-val multiple_times : ('a -> utility) -> 'a list -> utility
+  (** [if_then u1 u2] yields the utility that behaves like
+      if [u1] then [u2] fi *)
+  val if_then : utility -> utility -> utility
 
-(** compose_non_strict [u1] [u2] yields the utility that behaves like
-    [u1]; [u2] in non-strict mode, that is the error code of [u1] is
-    ignored *)
-val compose_non_strict : utility -> utility -> utility
+  (** [uneg u] yields the utility that behaves like [u] but inverts its result *)
+  val uneg : utility -> utility
 
-(** compose_strict [u1] [u2] yields the utility that behaves like
-    [u1]; [u2] in strict mode, that is if [u1] fails then the composition
-    fails and [u2]  is not executed    *)
-val compose_strict : utility -> utility -> utility
+  (** [uand u1 u2] yields the utility that behaves like [u1 && u2] in a NON-LAZY manner *)
+  val uand : utility -> utility -> utility
 
-(** {1 Auxiliaries} *)
+  (** [uor u1 u2] yields the utility that behaves like [u1 || u2] in a NON-LAZY manner *)
+  val uor : utility -> utility -> utility
 
-(** Error utility *)
-val error : utility:string -> string -> utility
+  (** multiple_times [what] [args] executes [what] on every argument in
+      [args]. It does not stop if one of these executions fails but the
+      global utility fails in the case. *)
+  val multiple_times : ('a -> utility) -> 'a list -> utility
 
-(** Unsupported stuff in a known utility. *)
-val incomplete : utility:string -> string -> utility
+  (** compose_non_strict [u1] [u2] yields the utility that behaves like
+      [u1]; [u2] in non-strict mode, that is the error code of [u1] is
+      ignored *)
+  val compose_non_strict : utility -> utility -> utility
 
-(* Unknown-unknown behaviour *)
-val unknown : utility:string -> string -> utility
+  (** compose_strict [u1] [u2] yields the utility that behaves like
+      [u1]; [u2] in strict mode, that is if [u1] fails then the composition
+      fails and [u2]  is not executed    *)
+  val compose_strict : utility -> utility -> utility
 
-(** {2 Printing} *)
+  (** {1 Arguments Parsing} *)
 
-(** Print to stdout and log *)
-val print_stdout : newline:bool -> string -> state -> state
+  val cmdliner_eval_utility :
+    utility:string ->
+    ?empty_pos_args:bool ->
+    (utility_context -> string list -> utility) Cmdliner.Term.t ->
+    utility_context -> utility
+  (** A wrapper around [Cmdliner.Term.eval] for utilities. [utility] is the name
+      of the utility. [empty_pos_args] describe whether empty positional arguments
+      lists are accepted or not (refused by default). *)
 
-(** Print message as utility trace to log if it is not empty (marked as [UTL]) *)
-val print_utility_trace : string -> state -> state
+  (** {1 Specifications of a symbolic utility} *)
 
-(** {2 Path parsing}*)
+  module MakeSpecifications (CaseSpec: CASESPEC with type filesystem = Filesystem.filesystem) : sig
 
-(** Get the name of the last path component, if any, or of the hint
-    root variable otherwise. The result is useful as a hint for
-    creating variables for resolving the path. *)
-val last_comp_as_hint: root:Var.t -> Path.t -> string option
+    (** A case in the specification is either a success, an error, or incomplete *)
+    type case
 
-(** {2 Arguments Parsing} *)
+    (** A success case (aka. return 0) *)
+    val success_case: descr:string -> ?stdout:Stdout.t -> CaseSpec.case_spec -> case
 
-val cmdliner_eval_utility :
-  utility:string ->
-  ?empty_pos_args:bool ->
-  (context -> string list -> utility) Cmdliner.Term.t ->
-  context -> utility
-(** A wrapper around [Cmdliner.Term.eval] for utilities. [utility] is the name
-    of the utility. [empty_pos_args] describe whether empty positional arguments
-    lists are accepted or not (refused by default). *)
+    (** An error case (aka return 1) *)
+    val error_case: descr:string -> ?stdout:Stdout.t -> ?error_message:string -> CaseSpec.case_spec -> case
 
-(**/**)
+    (** An incomplete case (unknown behaviour, cannot be symbolically executed) *)
+    val incomplete_case: descr:string -> CaseSpec.case_spec -> case
+
+    (** Use a list of cases to specify a utility. Corresponds to a table in the
+        document "Specification of UNIX Utilities "*)
+    val specification_cases : case list -> utility
+  end
+end
 
-(** A wrapper of [dispatch] for use in the Why3 driver *)
-val dispatch' : (string list * string Env.IdMap.t * string list) -> string -> state -> (state * bool result) BatSet.t
+type symbolic_filesystem = {
+  root: Var.t;
+  clause: Clause.sat_conj;
+  root0: Var.t option;
+}
+
+(** Parameterization of the symbolic engine for constraint-based filesystem
+    [symbolic_filesystem] *)
+module SymbolicImplementation : CASESPEC
+  with type filesystem = symbolic_filesystem
+   and type case_spec = Var.t -> Var.t -> Clause.t
+
+(* Compatibility with module SymbolicUtility before functorization of the symbolic engine *)
+module Symbolic : sig
+
+  include module type of Make (SymbolicImplementation)
+  include module type of MakeSpecifications (SymbolicImplementation)
+
+  type context = Semantics.utility_context = {
+    cwd: Path.normal;
+    env: string Env.SMap.t;
+    args: string list;
+  }
+
+  type filesystem = symbolic_filesystem = {
+    root: Var.t;
+    clause: Clause.sat_conj;
+    root0: Var.t option;
+  }
+
+  val noop : SymbolicImplementation.case_spec
+
+  (** Get the name of the last path component, if any, or of the hint
+      root variable otherwise. The result is useful as a hint for
+      creating variables for resolving the path. *)
+  val last_comp_as_hint: root:Var.t -> Path.t -> string option
+end
diff --git a/src/symbolic/utilities/basics.ml b/src/symbolic/utilities/basics.ml
index 58cff4ff..8f10a5a9 100644
--- a/src/symbolic/utilities/basics.ml
+++ b/src/symbolic/utilities/basics.ml
@@ -1,5 +1,4 @@
-open SymbolicUtility
-
+open SymbolicUtility.Symbolic
 
 module True = struct
   let name = "true"
diff --git a/src/symbolic/utilities/colisInternalUnsafeTouch.ml b/src/symbolic/utilities/colisInternalUnsafeTouch.ml
index 44c6a86d..c52e4447 100644
--- a/src/symbolic/utilities/colisInternalUnsafeTouch.ml
+++ b/src/symbolic/utilities/colisInternalUnsafeTouch.ml
@@ -1,7 +1,7 @@
 open Format
 open Colis_constraints
 open Clause
-open SymbolicUtility
+open SymbolicUtility.Symbolic
 
 let name = "colis_internal_unsafe_touch"
 
diff --git a/src/symbolic/utilities/cp.ml b/src/symbolic/utilities/cp.ml
index 33b8835b..4adce308 100644
--- a/src/symbolic/utilities/cp.ml
+++ b/src/symbolic/utilities/cp.ml
@@ -1,8 +1,7 @@
 open Format
 open Colis_constraints
 open Clause
-open SymbolicUtility
-
+open SymbolicUtility.Symbolic
 let name = "cp"
 
 (*
diff --git a/src/symbolic/utilities/cp.mli b/src/symbolic/utilities/cp.mli
index 7cc30031..269cb613 100644
--- a/src/symbolic/utilities/cp.mli
+++ b/src/symbolic/utilities/cp.mli
@@ -1,4 +1,5 @@
 (** Symbolic execution of cp *)
+open SymbolicUtility.Symbolic
 
 val name : string
-val interprete : SymbolicUtility.context -> SymbolicUtility.utility
+val interprete : context -> utility
diff --git a/src/symbolic/utilities/dpkg.ml b/src/symbolic/utilities/dpkg.ml
index 8121487f..19dd5340 100644
--- a/src/symbolic/utilities/dpkg.ml
+++ b/src/symbolic/utilities/dpkg.ml
@@ -1,4 +1,4 @@
-open SymbolicUtility
+open SymbolicUtility.Symbolic
 open Semantics__Result
 
 let name = "dpkg"
diff --git a/src/symbolic/utilities/dpkgMaintscriptHelper.ml b/src/symbolic/utilities/dpkgMaintscriptHelper.ml
index 8db76ea4..85fdb309 100644
--- a/src/symbolic/utilities/dpkgMaintscriptHelper.ml
+++ b/src/symbolic/utilities/dpkgMaintscriptHelper.ml
@@ -1,7 +1,7 @@
 (** Symbolic execution of dpkg-maintscript-helper. The structure of
     this code follows the implementation of version 1.19.6. *)
 
-open SymbolicUtility
+open SymbolicUtility.Symbolic
 
 let name = "dpkg-maintscript-helper"
 
@@ -429,19 +429,19 @@ let interprete ctx =
      sub-commands except 'supports' has been factored out into the
      main code. *)
   let dms_package =
-    try Env.IdMap.find "DPKG_MAINTSCRIPT_PACKAGE" ctx.env
+    try Env.SMap.find "DPKG_MAINTSCRIPT_PACKAGE" ctx.env
     with Not_found ->
       raise (Error
                "environment variable DPKG_MAINTSCRIPT_PACKAGE is required")
   in
   let default_package =
     try
-      let dpkg_arch = Env.IdMap.find "DPKG_MAINTSCRIPT_ARCH" ctx.env
+      let dpkg_arch = Env.SMap.find "DPKG_MAINTSCRIPT_ARCH" ctx.env
       in dms_package^":"^dpkg_arch
     with Not_found -> dms_package
   in
   let dms_name =
-    try Env.IdMap.find "DPKG_MAINTSCRIPT_NAME" ctx.env
+    try Env.SMap.find "DPKG_MAINTSCRIPT_NAME" ctx.env
     with
     | Not_found ->
        raise (Error
diff --git a/src/symbolic/utilities/dpkgMaintscriptHelper.mli b/src/symbolic/utilities/dpkgMaintscriptHelper.mli
index 5b26b47b..93aaf109 100644
--- a/src/symbolic/utilities/dpkgMaintscriptHelper.mli
+++ b/src/symbolic/utilities/dpkgMaintscriptHelper.mli
@@ -1,4 +1,5 @@
 (** Symbolic execution of dpkg-maintscript-helper *)
+open SymbolicUtility.Symbolic
 
 val name : string
-val interprete : SymbolicUtility.context -> SymbolicUtility.utility
+val interprete : context -> utility
diff --git a/src/symbolic/utilities/emacsPackage.ml b/src/symbolic/utilities/emacsPackage.ml
index 1bba2484..5a017050 100644
--- a/src/symbolic/utilities/emacsPackage.ml
+++ b/src/symbolic/utilities/emacsPackage.ml
@@ -1,5 +1,5 @@
 open Format
-open SymbolicUtility
+open SymbolicUtility.Symbolic
 
 module Install = struct
   let name = "/usr/lib/emacsen-common/emacs-package-install"
diff --git a/src/symbolic/utilities/emacsPackage.mli b/src/symbolic/utilities/emacsPackage.mli
index c7eba2ee..789ced53 100644
--- a/src/symbolic/utilities/emacsPackage.mli
+++ b/src/symbolic/utilities/emacsPackage.mli
@@ -1,13 +1,14 @@
 (** Symbolic execution of emacs-package-[install|remove] *)
+open SymbolicUtility.Symbolic
 
 module Install : sig
   val name : string
-  val interprete : SymbolicUtility.context -> SymbolicUtility.utility
+  val interprete : context -> utility
 end
 
 module Remove : sig
   val name : string
-  val interprete : SymbolicUtility.context -> SymbolicUtility.utility
+  val interprete : context -> utility
 end
 
 
diff --git a/src/symbolic/utilities/mkdir.ml b/src/symbolic/utilities/mkdir.ml
index 8afbed82..79b75ee8 100644
--- a/src/symbolic/utilities/mkdir.ml
+++ b/src/symbolic/utilities/mkdir.ml
@@ -1,7 +1,7 @@
 open Format
 open Colis_constraints
 open Clause
-open SymbolicUtility
+open SymbolicUtility.Symbolic
 
 let name = "mkdir"
 
diff --git a/src/symbolic/utilities/mkdir.mli b/src/symbolic/utilities/mkdir.mli
index 72649baf..84073e65 100644
--- a/src/symbolic/utilities/mkdir.mli
+++ b/src/symbolic/utilities/mkdir.mli
@@ -1,4 +1,5 @@
 (** Symbolic execution of mkdir *)
+open SymbolicUtility.Symbolic
 
 val name : string
-val interprete : SymbolicUtility.context -> SymbolicUtility.utility
+val interprete : context -> utility
diff --git a/src/symbolic/utilities/mv.ml b/src/symbolic/utilities/mv.ml
index e34c5b5d..44c071b0 100644
--- a/src/symbolic/utilities/mv.ml
+++ b/src/symbolic/utilities/mv.ml
@@ -1,7 +1,7 @@
 open Format
 open Colis_constraints
 open Clause
-open SymbolicUtility
+open SymbolicUtility.Symbolic
 
 let name = "mv"
 
diff --git a/src/symbolic/utilities/mv.mli b/src/symbolic/utilities/mv.mli
index adbabc34..c2f67e93 100644
--- a/src/symbolic/utilities/mv.mli
+++ b/src/symbolic/utilities/mv.mli
@@ -1,4 +1,5 @@
 (** Symbolic execution of mv *)
+open SymbolicUtility.Symbolic
 
 val name : string
-val interprete : SymbolicUtility.context -> SymbolicUtility.utility
+val interprete : context -> utility
diff --git a/src/symbolic/utilities/rm.ml b/src/symbolic/utilities/rm.ml
index 7f36f2c4..8ec80385 100644
--- a/src/symbolic/utilities/rm.ml
+++ b/src/symbolic/utilities/rm.ml
@@ -1,7 +1,7 @@
 open Format
 open Colis_constraints
 open Clause
-open SymbolicUtility
+open SymbolicUtility.Symbolic
 
 let name = "rm"
 
diff --git a/src/symbolic/utilities/rm.mli b/src/symbolic/utilities/rm.mli
index 29043abf..122237a7 100644
--- a/src/symbolic/utilities/rm.mli
+++ b/src/symbolic/utilities/rm.mli
@@ -1,2 +1,4 @@
+open SymbolicUtility.Symbolic
+
 val name : string
-val interprete : SymbolicUtility.context -> SymbolicUtility.utility
+val interprete : context -> utility
diff --git a/src/symbolic/utilities/test.ml b/src/symbolic/utilities/test.ml
index 99896fd1..43a5985f 100644
--- a/src/symbolic/utilities/test.ml
+++ b/src/symbolic/utilities/test.ml
@@ -2,7 +2,7 @@
 open Format
 open Colis_constraints
 open Clause
-open SymbolicUtility
+open SymbolicUtility.Symbolic
 
 let name = "test"
 
diff --git a/src/symbolic/utilities/test.mli b/src/symbolic/utilities/test.mli
index c93742c8..303e4061 100644
--- a/src/symbolic/utilities/test.mli
+++ b/src/symbolic/utilities/test.mli
@@ -1,7 +1,9 @@
+open SymbolicUtility.Symbolic
+
 val name : string
-val interprete : SymbolicUtility.context -> SymbolicUtility.utility
+val interprete : context -> utility
 
 module Bracket : sig
   val name : string
-  val interprete : SymbolicUtility.context -> SymbolicUtility.utility
+  val interprete : context -> utility
 end
diff --git a/src/symbolic/utilities/touch.ml b/src/symbolic/utilities/touch.ml
index efd9cfc2..31cb56da 100644
--- a/src/symbolic/utilities/touch.ml
+++ b/src/symbolic/utilities/touch.ml
@@ -1,7 +1,7 @@
 open Format
 open Colis_constraints
 open Clause
-open SymbolicUtility
+open SymbolicUtility.Symbolic
 
 let name = "touch"
 
diff --git a/src/symbolic/utilities/touch.mli b/src/symbolic/utilities/touch.mli
index 29043abf..122237a7 100644
--- a/src/symbolic/utilities/touch.mli
+++ b/src/symbolic/utilities/touch.mli
@@ -1,2 +1,4 @@
+open SymbolicUtility.Symbolic
+
 val name : string
-val interprete : SymbolicUtility.context -> SymbolicUtility.utility
+val interprete : context -> utility
diff --git a/src/symbolic/utilities/updateAlternatives.ml b/src/symbolic/utilities/updateAlternatives.ml
index 53c0e82a..e2999537 100644
--- a/src/symbolic/utilities/updateAlternatives.ml
+++ b/src/symbolic/utilities/updateAlternatives.ml
@@ -1,4 +1,4 @@
-open SymbolicUtility
+open SymbolicUtility.Symbolic
 
 let name = "update-alternatives"
 
diff --git a/src/symbolic/utilities/updateMenus.ml b/src/symbolic/utilities/updateMenus.ml
index 84743e7a..000a978e 100644
--- a/src/symbolic/utilities/updateMenus.ml
+++ b/src/symbolic/utilities/updateMenus.ml
@@ -1,4 +1,4 @@
-open SymbolicUtility
+open SymbolicUtility.Symbolic
 
 let name = "update-menus"
 
diff --git a/src/symbolic/utilities/updateMenus.mli b/src/symbolic/utilities/updateMenus.mli
index 29043abf..122237a7 100644
--- a/src/symbolic/utilities/updateMenus.mli
+++ b/src/symbolic/utilities/updateMenus.mli
@@ -1,2 +1,4 @@
+open SymbolicUtility.Symbolic
+
 val name : string
-val interprete : SymbolicUtility.context -> SymbolicUtility.utility
+val interprete : context -> utility
diff --git a/src/symbolic/utilities/which.ml b/src/symbolic/utilities/which.ml
index 8bf40bff..5015e7ac 100644
--- a/src/symbolic/utilities/which.ml
+++ b/src/symbolic/utilities/which.ml
@@ -1,7 +1,7 @@
 open Format
 open Colis_constraints
 open Clause
-open SymbolicUtility
+open SymbolicUtility.Symbolic
 open Semantics__Result
 open Semantics__Buffers
 
diff --git a/src/symbolic/utilities/which.mli b/src/symbolic/utilities/which.mli
index 09391ded..bb0514f9 100644
--- a/src/symbolic/utilities/which.mli
+++ b/src/symbolic/utilities/which.mli
@@ -1,7 +1,9 @@
+open SymbolicUtility.Symbolic
+
 val name : string
-val interprete : SymbolicUtility.context -> SymbolicUtility.utility
+val interprete : context -> utility
 
 module Silent : sig
   val name : string
-  val interprete : SymbolicUtility.context -> SymbolicUtility.utility
+  val interprete : context -> utility
 end